From 2b402a5f34b7c3db8859a5942e3f4feaee9234a7 Mon Sep 17 00:00:00 2001 From: "Karl O. Pinc" Date: Tue, 28 Apr 2020 11:45:14 -0500 Subject: [PATCH] Improve authzFrom and authzTo docs --- doc/man/man5/slapd.conf.5 | 54 +++++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 14 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index e033707a67..4ca1d4c0d5 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -265,19 +265,26 @@ portions must be absent, so that the search occurs locally on either .I authzFrom or .IR authzTo . + +.LP The second form is a -.BR DN , -with the optional style modifiers +.BR DN . +The optional +.B dnstyle +modifiers .IR exact , .IR onelevel , .IR children , and .I subtree -for exact, onelevel, children and subtree matches, which cause +provide exact, onelevel, children and subtree matches, which cause .I -to be normalized according to the DN normalization rules, or the special +to be normalized according to the DN normalization rules. +The special +.B dnstyle +modifier .I regex -style, which causes the +causes the .I to be treated as a POSIX (''extended'') regular expression, as discussed in @@ -287,38 +294,57 @@ and/or A pattern of .I * means any non-anonymous DN. + +.LP The third form is a SASL -.BR id , -with the optional fields +.BR id . +The optional fields .I and .I -that allow to specify a SASL +allow specification of a SASL .BR mechanism , and eventually a SASL .BR realm , for those mechanisms that support one. The need to allow the specification of a mechanism is still debated, and users are strongly discouraged to rely on this possibility. -The fourth form is a group specification, consisting of the keyword + +.LP +The fourth form is a group specification. +It consists of the keyword .BR group , -optionally followed by the specification of the group +optionally followed by the specification of .B objectClass -and member +and .BR attributeType . +The +.B objectClass +defaults to +.IR memberOf . +The +.B attributeType +defaults to +.IR member . The group with DN .B -is searched with base scope, and in case of match, the values of the -member +is searched with base scope, filtered on the specified +.BR objectClass . +The values of the resulting .B attributeType are searched for the asserted DN. -For backwards compatibility, if no identity type is provided, i.e. only + +.LP +The fifth form is provided for backwards compatibility. If no identity +type is provided, i.e. only .B is present, an .I exact DN is assumed; as a consequence, .B is subjected to DN normalization. + +.LP Since the interpretation of .I authzFrom and -- 2.47.3