manual cleanup

doc/man/man5/slapd-ldap.5

@@ -124,7 +124,7 @@ The supported modes are:
 .RS
 .RS
 .TP
-.B <mode>={legacy|anonymous|self|none|<id>}
+.B <mode>={legacy|anonymous|none|<id>|self}
 .RE
 .RS
 .B <id>={u:<ID>|[dn:]<DN>}
@@ -139,7 +139,7 @@ Direct binds are always proxied.
 The other modes imply that the proxy will always bind as 
 .IR idassert-authcdn ,
 unless restricted by
-.BR idassert-authz
+.BR idassert-authzFrom
 rules (see below), in which case the operation will fail;
 eventually, it will assert some other identity according to
 .BR <mode> .
@@ -178,7 +178,7 @@ permissions.  Note, however, that the ID assertion feature is mostly
 useful when the asserted identities do not exist on the remote server.
 .RE
 .TP
-.B idassert-authz <authz>
+.B idassert-authzFrom <authz>
 if defined, selects what
 .I local
 identities are authorized to exploit the identity assertion feature.

doc/man/man5/slapd.conf.5

@@ -183,7 +183,9 @@ sequence.
 The
 .B all
 flag requires both authorizations to succeed.
-The rules are simply regular expressions specifying which DNs are allowed 
+.LP
+.RS
+The rules are mechanisms to specify which identities are allowed 
 to perform proxy authorization.
 The
 .I authzFrom
@@ -207,7 +209,6 @@ describes an
 .B identity 
 or a set of identities; it can take three forms:
 .RS
-.RS
 .TP
 .B ldap:///<base>??[<scope>]?<filter>
 .RE
@@ -256,6 +257,9 @@ style, which causes
 .I <pattern>
 to be compiled according to 
 .BR regex (7).
+A pattern of
+.I *
+means any non-anonymous DN.
 The third form is a SASL
 .BR id ,
 with the optional fields
@@ -294,6 +298,13 @@ and
 .I authzTo
 can impact security, users are strongly encouraged 
 to explicitly set the type of identity specification that is being used.
+A subset of these rules can be used as third arg in the 
+.B authz-regexp
+statement (see below); significantly, the 
+.I URI
+and the
+.I dn.exact:<dn> 
+forms.
 .RE
 .TP
 .B authz-regexp <match> <replace>