partial fulfilment of ITS#3639; need to check other backends thoroughly

2025-03-07 14:18:15 +08:00 · 2005-04-08 18:41:13 +00:00 · 2005-04-08 18:41:13 +00:00 · 111deb128e
commit 111deb128e
parent bc97f801bf
1 changed files with 40 additions and 0 deletions
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@ -920,6 +920,46 @@ privileges are also required on the
 attribute of the authorizing identity and/or on the 
 .B authzFrom
 attribute of the authorized identity.
+
+.LP
+Some backends do not honor all the above rules.  In detail:
+
+.TP
+.B bacl-ldap/back-meta
+\fIdo not check\fP
+.B write (=w)
+access, since it is delegated to the remote host(s) serving
+the naming context.
+The same applies to checking
+.B search (=s)
+access to the 
+.B entry
+pseudo-attribute of the
+.B searchBase 
+of a search operation, 
+.B search (=s)
+access to the attributes used in the
+.BR searchFilter ,
+and 
+.B disclose (=d)
+access to the
+.B entry
+pseudo-attribute of any object in case of error: all those checks 
+are delegated to the remote host(s).
+In any case,
+.B read (=r) 
+access is honored locally by the frontend.
+
+.TP
+.B back-shell
+requires
+.B write (=w)
+access to the 
+.B entry 
+pseudo-attribute for the modify operation; in the meanwhile, 
+\fIwrite access to the specific attributes that are modified
+is not checked\fP.
+
 .SH CAVEATS
 It is strongly recommended to explicitly use the most appropriate
 .B <dnstyle>