diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index e033707a67..4ca1d4c0d5 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -265,19 +265,26 @@ portions must be absent, so that the search occurs locally on either .I authzFrom or .IR authzTo . + +.LP The second form is a -.BR DN , -with the optional style modifiers +.BR DN . +The optional +.B dnstyle +modifiers .IR exact , .IR onelevel , .IR children , and .I subtree -for exact, onelevel, children and subtree matches, which cause +provide exact, onelevel, children and subtree matches, which cause .I -to be normalized according to the DN normalization rules, or the special +to be normalized according to the DN normalization rules. +The special +.B dnstyle +modifier .I regex -style, which causes the +causes the .I to be treated as a POSIX (''extended'') regular expression, as discussed in @@ -287,38 +294,57 @@ and/or A pattern of .I * means any non-anonymous DN. + +.LP The third form is a SASL -.BR id , -with the optional fields +.BR id . +The optional fields .I and .I -that allow to specify a SASL +allow specification of a SASL .BR mechanism , and eventually a SASL .BR realm , for those mechanisms that support one. The need to allow the specification of a mechanism is still debated, and users are strongly discouraged to rely on this possibility. -The fourth form is a group specification, consisting of the keyword + +.LP +The fourth form is a group specification. +It consists of the keyword .BR group , -optionally followed by the specification of the group +optionally followed by the specification of .B objectClass -and member +and .BR attributeType . +The +.B objectClass +defaults to +.IR memberOf . +The +.B attributeType +defaults to +.IR member . The group with DN .B -is searched with base scope, and in case of match, the values of the -member +is searched with base scope, filtered on the specified +.BR objectClass . +The values of the resulting .B attributeType are searched for the asserted DN. -For backwards compatibility, if no identity type is provided, i.e. only + +.LP +The fifth form is provided for backwards compatibility. If no identity +type is provided, i.e. only .B is present, an .I exact DN is assumed; as a consequence, .B is subjected to DN normalization. + +.LP Since the interpretation of .I authzFrom and