mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
update diagnostics and man pages
This commit is contained in:
parent
e0fd9ebf14
commit
f1698e30f5
@ -233,6 +233,14 @@ It can have the forms
|
||||
|
||||
dn[.<dnstyle>[,<modifier>]]=<DN>
|
||||
dnattr=<attrname>
|
||||
|
||||
realanonymous
|
||||
realusers
|
||||
realself[.<selfstyle>]
|
||||
|
||||
realdn[.<dnstyle>[,<modifier>]]=<DN>
|
||||
realdnattr=<attrname>
|
||||
|
||||
group[/<objectclass>[/<attrname>]]
|
||||
[.<groupstyle>]=<group>
|
||||
peername[.<peernamestyle>]=<peername>
|
||||
@ -246,7 +254,8 @@ It can have the forms
|
||||
tls_ssf=<n>
|
||||
sasl_ssf=<n>
|
||||
|
||||
aci=<attrname>
|
||||
aci[=<attrname>]
|
||||
dynacl/name[.<dynstyle>][=<pattern>]
|
||||
.fi
|
||||
.LP
|
||||
with
|
||||
@ -272,6 +281,11 @@ The wildcard
|
||||
.B *
|
||||
refers to everybody.
|
||||
.LP
|
||||
The keywords prefixed by
|
||||
.B real
|
||||
act as their counterparts without prefix; the checking respectively occurs
|
||||
with the \fIauthentication\fP DN and the \fIauthorization\fP DN.
|
||||
.LP
|
||||
The keyword
|
||||
.B anonymous
|
||||
means access is granted to unauthenticated clients; it is mostly used
|
||||
@ -601,12 +615,39 @@ The statement
|
||||
is undocumented yet.
|
||||
.LP
|
||||
The statement
|
||||
.B aci=<attrname>
|
||||
.B aci[=<attrname>]
|
||||
means that the access control is determined by the values in the
|
||||
.B attrname
|
||||
of the entry itself.
|
||||
The optional
|
||||
.B <attrname>
|
||||
indicates what attributeType holds the ACI information in the entry.
|
||||
By default, the
|
||||
.B OpenLDAPaci
|
||||
operational attribute is used.
|
||||
ACIs are experimental; they must be enabled at compile time.
|
||||
.LP
|
||||
The statement
|
||||
.B dynacl/<name>[.<dynstyle>][=<pattern>]
|
||||
means that access checking is delegated to the admin-defined method
|
||||
indicated by
|
||||
.BR <name> ,
|
||||
which can be registered at run-time by means of the
|
||||
.B moduleload
|
||||
statement.
|
||||
The fields
|
||||
.B <dynstyle>
|
||||
and
|
||||
.B <pattern>
|
||||
are optional, and are directly passed to the registered parsing routine.
|
||||
Dynacl is experimental; it must be enabled at compile time.
|
||||
If dynacl and ACIs are both enabled, ACIs are cast into the dynacl scheme,
|
||||
where
|
||||
.B <name>=aci
|
||||
and, optionally,
|
||||
.BR <patten>=<attrname> .
|
||||
However, the original ACI syntax is preserved for backward compatibility.
|
||||
.LP
|
||||
The statements
|
||||
.BR ssf=<n> ,
|
||||
.BR transport_ssf=<n> ,
|
||||
@ -617,7 +658,7 @@ set the minimum required Security Strength Factor (ssf) needed
|
||||
to grant access. The value should be positive integer.
|
||||
.SH THE <ACCESS> FIELD
|
||||
The field
|
||||
.B <access> ::= [self]{<level>|<priv>}
|
||||
.B <access> ::= [[real]self]{<level>|<priv>}
|
||||
determines the access level or the specific access privileges the
|
||||
.B who
|
||||
field will have.
|
||||
@ -633,7 +674,12 @@ The modifier
|
||||
allows special operations like having a certain access level or privilege
|
||||
only in case the operation involves the name of the user that's requesting
|
||||
the access.
|
||||
It implies the user that requests access is bound.
|
||||
It implies the user that requests access is authorized.
|
||||
The modifier
|
||||
.B realself
|
||||
refers to the authenticated DN as opposed to the authorized DN of the
|
||||
.B self
|
||||
modifier.
|
||||
An example is the
|
||||
.B selfwrite
|
||||
access to the member attribute of a group, which allows one to add/delete
|
||||
@ -662,7 +708,7 @@ access level disallows all access including disclosure on error.
|
||||
.LP
|
||||
The
|
||||
.B disclose
|
||||
access level allows disclorure of information on error.
|
||||
access level allows disclosure of information on error.
|
||||
.LP
|
||||
The
|
||||
.B auth
|
||||
|
@ -1987,13 +1987,18 @@ acl_usage( void )
|
||||
"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
|
||||
"<attr> ::= <attrname> | entry | children\n",
|
||||
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
|
||||
"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
|
||||
"\t[dnattr=<attrname>]\n"
|
||||
"\t[realdnattr=<attrname>]\n"
|
||||
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
|
||||
"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
|
||||
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
|
||||
#ifdef SLAPD_ACI_ENABLED
|
||||
"\t[aci=<attrname>]\n"
|
||||
"\t[aci=[<attrname>]]\n"
|
||||
#endif
|
||||
#ifdef SLAP_DYNACL
|
||||
"\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
|
||||
#endif /* SLAP_DYNACL */
|
||||
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
|
||||
"<style> ::= exact | regex | base(Object)\n"
|
||||
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
|
||||
@ -2002,7 +2007,7 @@ acl_usage( void )
|
||||
"sub(tree) | children\n"
|
||||
"<peernamestyle> ::= exact | regex | ip | path\n"
|
||||
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
|
||||
"<access> ::= [self]{<level>|<priv>}\n"
|
||||
"<access> ::= [[real]self]{<level>|<priv>}\n"
|
||||
"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
|
||||
"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
|
||||
"<control> ::= [ stop | continue | break ]\n"
|
||||
|
Loading…
Reference in New Issue
Block a user