(ITS#5851 ACL behaviour does not match slapd.access(5))

This commit is contained in:
Gavin Henry 2009-01-30 22:40:05 +00:00
parent 5142f08323
commit 4fa19d927d
2 changed files with 5 additions and 10 deletions

View File

@ -218,7 +218,7 @@ When evaluating whether some requester should be given access to
an entry and/or attribute, slapd compares the entry and/or attribute an entry and/or attribute, slapd compares the entry and/or attribute
to the {{EX:<what>}} selectors given in the configuration file. to the {{EX:<what>}} selectors given in the configuration file.
For each entry, access controls provided in the database which holds For each entry, access controls provided in the database which holds
the entry (or the first database if not held in any database) apply the entry (or the global access directives if not held in any database) apply
first, followed by the global access directives. Within this first, followed by the global access directives. Within this
priority, access directives are examined in the order in which they priority, access directives are examined in the order in which they
appear in the config file. Slapd stops with the first {{EX:<what>}} appear in the config file. Slapd stops with the first {{EX:<what>}}
@ -422,9 +422,7 @@ Lines 12 through 14 indicate the indices to maintain for various
attributes. attributes.
Lines 16 through 24 specify access control for entries in this Lines 16 through 24 specify access control for entries in this
database. As this is the first database, the controls also apply database. For all applicable entries, the {{EX:userPassword}} attribute is writable
to entries not held in any database (such as the Root DSE). For
all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable. authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin" All other attributes are writable by the entry and the "admin"
@ -635,7 +633,7 @@ When evaluating whether some requester should be given access to
an entry and/or attribute, slapd compares the entry and/or attribute an entry and/or attribute, slapd compares the entry and/or attribute
to the {{EX:<what>}} selectors given in the configuration. For to the {{EX:<what>}} selectors given in the configuration. For
each entry, access controls provided in the database which holds each entry, access controls provided in the database which holds
the entry (or the first database if not held in any database) apply the entry (or the global access directives if not held in any database) apply
first, followed by the global access directives (which are held in first, followed by the global access directives (which are held in
the {{EX:frontend}} database definition). Within this priority, the {{EX:frontend}} database definition). Within this priority,
access directives are examined in the order in which they appear access directives are examined in the order in which they appear
@ -944,9 +942,7 @@ Lines 30 through 32 indicate the indices to maintain for various
attributes. attributes.
Lines 33 through 41 specify access control for entries in this Lines 33 through 41 specify access control for entries in this
database. As this is the first database, the controls also apply database. For all applicable entries, the {{EX:userPassword}} attribute is writable
to entries not held in any database (such as the Root DSE). For
all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable. authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin" All other attributes are writable by the entry and the "admin"

View File

@ -57,8 +57,7 @@ updates to rootdn. (e.g., "access to * by * read").
The rootdn can always read and write EVERYTHING! The rootdn can always read and write EVERYTHING!
.LP .LP
For entries not held in any backend (such as a root DSE), the For entries not held in any backend (such as a root DSE), the
directives of the first backend (and any global directives) are global directives are used.
used.
.LP .LP
Arguments that should be replaced by actual text are shown in Arguments that should be replaced by actual text are shown in
brackets <>. brackets <>.