update diagnostics and man pages

This commit is contained in:
Pierangelo Masarati 2005-04-04 12:24:50 +00:00
parent e0fd9ebf14
commit f1698e30f5
2 changed files with 58 additions and 7 deletions

View File

@ -233,6 +233,14 @@ It can have the forms
dn[.<dnstyle>[,<modifier>]]=<DN> dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname> dnattr=<attrname>
realanonymous
realusers
realself[.<selfstyle>]
realdn[.<dnstyle>[,<modifier>]]=<DN>
realdnattr=<attrname>
group[/<objectclass>[/<attrname>]] group[/<objectclass>[/<attrname>]]
[.<groupstyle>]=<group> [.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername> peername[.<peernamestyle>]=<peername>
@ -246,7 +254,8 @@ It can have the forms
tls_ssf=<n> tls_ssf=<n>
sasl_ssf=<n> sasl_ssf=<n>
aci=<attrname> aci[=<attrname>]
dynacl/name[.<dynstyle>][=<pattern>]
.fi .fi
.LP .LP
with with
@ -272,6 +281,11 @@ The wildcard
.B * .B *
refers to everybody. refers to everybody.
.LP .LP
The keywords prefixed by
.B real
act as their counterparts without prefix; the checking respectively occurs
with the \fIauthentication\fP DN and the \fIauthorization\fP DN.
.LP
The keyword The keyword
.B anonymous .B anonymous
means access is granted to unauthenticated clients; it is mostly used means access is granted to unauthenticated clients; it is mostly used
@ -601,12 +615,39 @@ The statement
is undocumented yet. is undocumented yet.
.LP .LP
The statement The statement
.B aci=<attrname> .B aci[=<attrname>]
means that the access control is determined by the values in the means that the access control is determined by the values in the
.B attrname .B attrname
of the entry itself. of the entry itself.
The optional
.B <attrname>
indicates what attributeType holds the ACI information in the entry.
By default, the
.B OpenLDAPaci
operational attribute is used.
ACIs are experimental; they must be enabled at compile time. ACIs are experimental; they must be enabled at compile time.
.LP .LP
The statement
.B dynacl/<name>[.<dynstyle>][=<pattern>]
means that access checking is delegated to the admin-defined method
indicated by
.BR <name> ,
which can be registered at run-time by means of the
.B moduleload
statement.
The fields
.B <dynstyle>
and
.B <pattern>
are optional, and are directly passed to the registered parsing routine.
Dynacl is experimental; it must be enabled at compile time.
If dynacl and ACIs are both enabled, ACIs are cast into the dynacl scheme,
where
.B <name>=aci
and, optionally,
.BR <patten>=<attrname> .
However, the original ACI syntax is preserved for backward compatibility.
.LP
The statements The statements
.BR ssf=<n> , .BR ssf=<n> ,
.BR transport_ssf=<n> , .BR transport_ssf=<n> ,
@ -617,7 +658,7 @@ set the minimum required Security Strength Factor (ssf) needed
to grant access. The value should be positive integer. to grant access. The value should be positive integer.
.SH THE <ACCESS> FIELD .SH THE <ACCESS> FIELD
The field The field
.B <access> ::= [self]{<level>|<priv>} .B <access> ::= [[real]self]{<level>|<priv>}
determines the access level or the specific access privileges the determines the access level or the specific access privileges the
.B who .B who
field will have. field will have.
@ -633,7 +674,12 @@ The modifier
allows special operations like having a certain access level or privilege allows special operations like having a certain access level or privilege
only in case the operation involves the name of the user that's requesting only in case the operation involves the name of the user that's requesting
the access. the access.
It implies the user that requests access is bound. It implies the user that requests access is authorized.
The modifier
.B realself
refers to the authenticated DN as opposed to the authorized DN of the
.B self
modifier.
An example is the An example is the
.B selfwrite .B selfwrite
access to the member attribute of a group, which allows one to add/delete access to the member attribute of a group, which allows one to add/delete
@ -662,7 +708,7 @@ access level disallows all access including disclosure on error.
.LP .LP
The The
.B disclose .B disclose
access level allows disclorure of information on error. access level allows disclosure of information on error.
.LP .LP
The The
.B auth .B auth

View File

@ -1987,13 +1987,18 @@ acl_usage( void )
"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n" "<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
"<attr> ::= <attrname> | entry | children\n", "<attr> ::= <attrname> | entry | children\n",
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n" "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
"\t[dnattr=<attrname>]\n" "\t[dnattr=<attrname>]\n"
"\t[realdnattr=<attrname>]\n"
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n" "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n" "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n" "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
#ifdef SLAPD_ACI_ENABLED #ifdef SLAPD_ACI_ENABLED
"\t[aci=<attrname>]\n" "\t[aci=[<attrname>]]\n"
#endif #endif
#ifdef SLAP_DYNACL
"\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
#endif /* SLAP_DYNACL */
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n", "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
"<style> ::= exact | regex | base(Object)\n" "<style> ::= exact | regex | base(Object)\n"
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | " "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
@ -2002,7 +2007,7 @@ acl_usage( void )
"sub(tree) | children\n" "sub(tree) | children\n"
"<peernamestyle> ::= exact | regex | ip | path\n" "<peernamestyle> ::= exact | regex | ip | path\n"
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n" "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
"<access> ::= [self]{<level>|<priv>}\n" "<access> ::= [[real]self]{<level>|<priv>}\n"
"<level> ::= none|disclose|auth|compare|search|read|write|manage\n" "<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n" "<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
"<control> ::= [ stop | continue | break ]\n" "<control> ::= [ stop | continue | break ]\n"