further fulfilment of ITS#3639

doc/man/man5/slapd-null.5

@@ -42,6 +42,11 @@ suffix   "cn=Nothing"
 bind     on
 .fi
 .RE
+.SH ACCESS CONTROL
+The
+.B null
+backend does not honor any of the access control semantics described in
+.BR slapd.access (5).
 .SH FILES
 .TP
 ETCDIR/slapd.conf

doc/man/man5/slapd-relay.5

@@ -52,7 +52,7 @@ directives described in
 One important issue is that access rules are based on the identity
 that issued the operation.
 After massaging from the virtual to the real naming context, the
-frontend sees the operation as performed by the identty in the
+frontend sees the operation as performed by the identity in the
 real naming context.
 Moreover, since
 .B back-relay
@@ -110,8 +110,7 @@ that looks up the real naming context for each operation, use
   database        relay
   suffix          "dc=virtual,dc=naming,dc=context"
   overlay         rwm
-  suffixmassage   "dc=virtual,dc=naming,dc=context"
-          "dc=real,dc=naming,dc=context"
+  suffixmassage   "dc=real,dc=naming,dc=context"
 .fi
 .LP
 This is useful, for instance, to relay different databases that
@@ -176,6 +175,20 @@ clause) are in the
 and in the
 .BR "virtual naming context" ,
 respectively.
+.SH ACCESS CONTROL
+The
+.B relay
+backend does not honor any of the access control semantics described in
+.BR slapd.access (5);
+all access control is delegated to the relayed database(s).
+Only
+.B read (=r)
+access to the
+.B entry
+pseudo-attribute and to the other attribute values of the entries
+returned by the
+.B search
+operation is honored, which is performed by the frontend.
 .SH FILES
 .TP
 ETCDIR/slapd.conf

doc/man/man5/slapd-sql.5

@@ -649,6 +649,14 @@ for details.
 .SH EXAMPLES
 There are example SQL modules in the slapd/back-sql/rdbms_depend/
 directory in the OpenLDAP source tree.
+.SH ACCESS CONTROL
+The 
+.B sql
+backend honors access control semantics as indicated in
+.BR slapd.access (5),
+including the 
+.B disclose
+access privilege.
 .SH FILES
 
 .TP