Rework CAVEATS

doc/man/man5/slapd.access.5

@@ -429,44 +429,38 @@ privileges to authenticated clients.
 It is strongly recommended to explicitly use the most appropriate
 DN 
 .BR style ,
-for performance (avoid unrequired regex matching when
-an exact match suffices) but also to avoid possible 
-misimplementations of the access rules.
-In fact, a rule of the form
+to avoid possible 
+incorrect specifications of the access rules as well
+as for performance (avoid unrequired regex matching when
+an exact match suffices) reasons.
+.LP
+An adminisistrator might create a rule of the form:
 .LP
 .nf
 	access to dn="dc=example,dc=com"
 		by ...
 .fi
 .LP
-implies that all the subtree "dc=example,dc=com" matches, and the
-match is done using a regex. 
+expecting it to match all entries in the subtree "dc=example,dc=com".
+However, this rule actually matches any DN which contains anywhere
+the substring "dc=example,dc=com".  That is, the rule matches both
+"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
+.LP
+To match the desired subtree, the rule would be more precisely
+written:
+.LP
+.nf
+	access to dn.regex="^(.+,)?dc=example,dc=com$$"
+		by ...
+.fi
+.LP
+For performance reasons, it would be better to use the subtree style.
 .LP
 .nf
 access to dn.subtree="dc=example,dc=com"
 	by ...
 .fi
 .LP
-would be far more appropriate.
-.LP
-Another quirk is related to the 
-.B by
-clause:
-a rule of the form
-.LP
-.nf
-	access to *
-		by dn="cn=User,dc=example,dc=com" write
-.fi
-.LP
-gives write access to every DN below "cn=User,dc=example,dc=com";
-if only that DN should have write access, the correct rule would be
-.LP
-.nf
-	access to *
-		by dn.exact="cn=User,dc=example,dc=com" write
-.fi
-.LP
 .SH FILES
 .TP
 ETCDIR/slapd.conf