clarify the required access to add the suffix of a database (consequence of ITS#4552)

This commit is contained in:
Pierangelo Masarati 2006-05-20 11:12:05 +00:00
parent fa2425005a
commit e5fc7845fc

View File

@ -860,11 +860,13 @@ as the first access rule.
As a consequence, unless the operation is performed with the
.B updatedn
identity, control is passed straight to the subsequent rules.
.SH OPERATION REQUIREMENTS
Operations require different privileges on different portions of entries.
The following summary applies to primary database backends such as
the BDB and HDB backends. Requirements for other backends may
(and often do) differ.
.LP
The
.B add
@ -877,6 +879,10 @@ of the entry being added, and
privileges on the pseudo-attribute
.B children
of the entry's parent.
When adding the suffix entry of a database, write access to
.B children
of the empty DN ("") is required.
.LP
The
.B bind
@ -884,12 +890,14 @@ operation, when credentials are stored in the directory, requires
.B auth (=x)
privileges on the attribute the credentials are stored in (usually
.BR userPassword ).
.LP
The
.B compare
operation requires
.B compare (=c)
privileges on the attribute that is being compared.
.LP
The
.B delete
@ -902,12 +910,14 @@ of the entry being deleted, and
privileges on the
.B children
pseudo-attribute of the entry's parent.
.LP
The
.B modify
operation requires
.B write (=w)
privileges on the attributes being modified.
.LP
The
.B modrdn
@ -927,6 +937,7 @@ privileges are also required on the attributes that are present
in the old relative DN if
.B deleteoldrdn
is set to 1.
.LP
The
.B search
@ -959,6 +970,7 @@ access to the attribute holding the referral information
(generally the
.B ref
attribute).
.LP
Some internal operations and some
.B controls