mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

document 'add' and 'delete' privileges (ITS#5566)

Browse Source
This commit is contained in:
Pierangelo Masarati 2008-06-18 16:02:05 +00:00
parent 82cb2a1f05
commit 4862b2906a
1 changed files with 50 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
doc/man/man5/slapd.access.5
View File

@ -709,8 +709,8 @@ field will have.
Its component are defined as
.LP
.nf
<level> ::= none|disclose|auth|compare|search|read|write|manage
<priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
.fi
.LP
The modifier
@ -740,11 +740,22 @@ The possible levels are
.BR compare ,
.BR search ,
.BR read ,
.BR write ,
and
.BR write .
.BR manage .
Each access level implies all the preceding ones, thus
.B manage
grants all access including administrative access,
grants all access including administrative access.
The
.BR write
access is actually the combination of
.BR add
and
.BR delete ,
which respectively restrict the write privilege to add or delete
the specified
.BR <what> .
.LP
The
.B none
@ -781,6 +792,10 @@ The privileges are
for manage,
.B w
for write,
.B a
for add,
.B z
for delete,
.B r
for read,
.B s
@ -794,6 +809,10 @@ for disclose.
More than one of the above privileges can be added in one statement.
.B 0
indicates no privileges and is used only by itself (e.g., +0).
Note that
.B +az
is equivalent to
.BR +w .
.LP
If no access is given, it defaults to
.BR +0 .
@ -878,15 +897,17 @@ the BDB and HDB backends. Requirements for other backends may
The
.B add
operation requires
.B write (=w)
.B add (=a)
privileges on the pseudo-attribute
.B entry
of the entry being added, and
.B write (=w)
.B add (=a)
privileges on the pseudo-attribute
.B children
of the entry's parent.
When adding the suffix entry of a database, write access to
When adding the suffix entry of a database,
.B add
access to
.B children
of the empty DN ("") is required.
@ -909,11 +930,11 @@ privileges on the attribute that is being compared.
The
.B delete
operation requires
.B write (=w)
.B delete (=z)
privileges on the pseudo-attribute
.B entry
of the entry being deleted, and
.B write (=w)
.B delete (=d)
privileges on the
.B children
pseudo-attribute of the entry's parent.
@ -924,6 +945,18 @@ The
operation requires
.B write (=w)
privileges on the attributes being modified.
In detail,
.B add (=a)
is required to add new values,
.B delete (=z)
is required to delete existing values,
and both
.B delete
and
.BR "add (=az)" ,
or
.BR "write (=w)" ,
are required to replace existing values.
.LP
The
@ -933,13 +966,17 @@ operation requires
privileges on the pseudo-attribute
.B entry
of the entry whose relative DN is being modified,
.B write (=w)
.B delete (=z)
privileges on the pseudo-attribute
.B children
of the old and new entry's parents, and
.B write (=w)
of the old entry's parents,
.B add (=a)
privileges on the pseudo-attribute
.B children
of the new entry's parents, and
.B add (=a)
privileges on the attributes that are present in the new relative DN.
.B Write (=w)
.B Delete (=z)
privileges are also required on the attributes that are present
in the old relative DN if
.B deleteoldrdn