upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-02-03 20:40:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improve authzFrom and authzTo docs

Browse source
This commit is contained in:
Karl O. Pinc 2020-04-28 11:45:14 -05:00 committed by Ondřej Kuzník
parent d3fca1364b
commit 2b402a5f34
1 changed files with 40 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
doc/man/man5/slapd.conf.5
View file

@ -265,19 +265,26 @@ portions must be absent, so that the search occurs locally on either
.I authzFrom
or
.IR authzTo .
.LP
The second form is a
.BR DN ,
with the optional style modifiers
.BR DN .
The optional
.B dnstyle
modifiers
.IR exact ,
.IR onelevel ,
.IR children ,
and
.I subtree
for exact, onelevel, children and subtree matches, which cause
provide exact, onelevel, children and subtree matches, which cause
.I <pattern>
to be normalized according to the DN normalization rules, or the special
to be normalized according to the DN normalization rules.
The special
.B dnstyle
modifier
.I regex
style, which causes the
causes the
.I <pattern>
to be treated as a POSIX (''extended'') regular expression, as
discussed in
@ -287,38 +294,57 @@ and/or
A pattern of
.I *
means any non-anonymous DN.
.LP
The third form is a SASL
.BR id ,
with the optional fields
.BR id .
The optional fields
.I <mech>
and
.I <realm>
that allow to specify a SASL
allow specification of a SASL
.BR mechanism ,
and eventually a SASL
.BR realm ,
for those mechanisms that support one.
The need to allow the specification of a mechanism is still debated,
and users are strongly discouraged to rely on this possibility.
The fourth form is a group specification, consisting of the keyword
.LP
The fourth form is a group specification.
It consists of the keyword
.BR group ,
optionally followed by the specification of the group
optionally followed by the specification of
.B objectClass
and member
and
.BR attributeType .
The
.B objectClass
defaults to
.IR memberOf .
The
.B attributeType
defaults to
.IR member .
The group with DN
.B <pattern>
is searched with base scope, and in case of match, the values of the
member
is searched with base scope, filtered on the specified
.BR objectClass .
The values of the resulting
.B attributeType
are searched for the asserted DN.
For backwards compatibility, if no identity type is provided, i.e. only
.LP
The fifth form is provided for backwards compatibility. If no identity
type is provided, i.e. only
.B <pattern>
is present, an
.I exact DN
is assumed; as a consequence,
.B <pattern>
is subjected to DN normalization.
.LP
Since the interpretation of
.I authzFrom
and