document new flag values for identity assertion

2025-01-06 10:46:21 +08:00 · 2005-07-03 23:18:08 +00:00 · 2005-07-03 23:18:08 +00:00 · 9565ec4bbd
commit 9565ec4bbd
parent 2480ae2908
1 changed files with 18 additions and 0 deletions
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@ -231,6 +231,10 @@ permissions, or the asserted identities must have appropriate
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.

+Flags can be
+
+\fBoverride,{prescriptive|non-prescriptive}\fP
+
 When the 
 .B override
 flag is used, identity assertion takes place even when the database
@ -239,6 +243,20 @@ with the provided identity, and thus authenticating it, the proxy
 performs the identity assertion using the configured identity and
 authentication method.

+When the
+.B prescriptive
+flag is used (the default), operations fail with
+\fIinappropriateAuthentication\fP
+for those identities whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+If the 
+.B non-prescriptive
+flag is used, operations are performed anonymously for those identities 
+whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+
 This directive obsoletes
 .BR idassert-authcDN ,
 .BR idassert-passwd ,