mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
update diagnostics and man pages
This commit is contained in:
parent
e0fd9ebf14
commit
f1698e30f5
@ -233,6 +233,14 @@ It can have the forms
|
|||||||
|
|
||||||
dn[.<dnstyle>[,<modifier>]]=<DN>
|
dn[.<dnstyle>[,<modifier>]]=<DN>
|
||||||
dnattr=<attrname>
|
dnattr=<attrname>
|
||||||
|
|
||||||
|
realanonymous
|
||||||
|
realusers
|
||||||
|
realself[.<selfstyle>]
|
||||||
|
|
||||||
|
realdn[.<dnstyle>[,<modifier>]]=<DN>
|
||||||
|
realdnattr=<attrname>
|
||||||
|
|
||||||
group[/<objectclass>[/<attrname>]]
|
group[/<objectclass>[/<attrname>]]
|
||||||
[.<groupstyle>]=<group>
|
[.<groupstyle>]=<group>
|
||||||
peername[.<peernamestyle>]=<peername>
|
peername[.<peernamestyle>]=<peername>
|
||||||
@ -246,7 +254,8 @@ It can have the forms
|
|||||||
tls_ssf=<n>
|
tls_ssf=<n>
|
||||||
sasl_ssf=<n>
|
sasl_ssf=<n>
|
||||||
|
|
||||||
aci=<attrname>
|
aci[=<attrname>]
|
||||||
|
dynacl/name[.<dynstyle>][=<pattern>]
|
||||||
.fi
|
.fi
|
||||||
.LP
|
.LP
|
||||||
with
|
with
|
||||||
@ -272,6 +281,11 @@ The wildcard
|
|||||||
.B *
|
.B *
|
||||||
refers to everybody.
|
refers to everybody.
|
||||||
.LP
|
.LP
|
||||||
|
The keywords prefixed by
|
||||||
|
.B real
|
||||||
|
act as their counterparts without prefix; the checking respectively occurs
|
||||||
|
with the \fIauthentication\fP DN and the \fIauthorization\fP DN.
|
||||||
|
.LP
|
||||||
The keyword
|
The keyword
|
||||||
.B anonymous
|
.B anonymous
|
||||||
means access is granted to unauthenticated clients; it is mostly used
|
means access is granted to unauthenticated clients; it is mostly used
|
||||||
@ -601,12 +615,39 @@ The statement
|
|||||||
is undocumented yet.
|
is undocumented yet.
|
||||||
.LP
|
.LP
|
||||||
The statement
|
The statement
|
||||||
.B aci=<attrname>
|
.B aci[=<attrname>]
|
||||||
means that the access control is determined by the values in the
|
means that the access control is determined by the values in the
|
||||||
.B attrname
|
.B attrname
|
||||||
of the entry itself.
|
of the entry itself.
|
||||||
|
The optional
|
||||||
|
.B <attrname>
|
||||||
|
indicates what attributeType holds the ACI information in the entry.
|
||||||
|
By default, the
|
||||||
|
.B OpenLDAPaci
|
||||||
|
operational attribute is used.
|
||||||
ACIs are experimental; they must be enabled at compile time.
|
ACIs are experimental; they must be enabled at compile time.
|
||||||
.LP
|
.LP
|
||||||
|
The statement
|
||||||
|
.B dynacl/<name>[.<dynstyle>][=<pattern>]
|
||||||
|
means that access checking is delegated to the admin-defined method
|
||||||
|
indicated by
|
||||||
|
.BR <name> ,
|
||||||
|
which can be registered at run-time by means of the
|
||||||
|
.B moduleload
|
||||||
|
statement.
|
||||||
|
The fields
|
||||||
|
.B <dynstyle>
|
||||||
|
and
|
||||||
|
.B <pattern>
|
||||||
|
are optional, and are directly passed to the registered parsing routine.
|
||||||
|
Dynacl is experimental; it must be enabled at compile time.
|
||||||
|
If dynacl and ACIs are both enabled, ACIs are cast into the dynacl scheme,
|
||||||
|
where
|
||||||
|
.B <name>=aci
|
||||||
|
and, optionally,
|
||||||
|
.BR <patten>=<attrname> .
|
||||||
|
However, the original ACI syntax is preserved for backward compatibility.
|
||||||
|
.LP
|
||||||
The statements
|
The statements
|
||||||
.BR ssf=<n> ,
|
.BR ssf=<n> ,
|
||||||
.BR transport_ssf=<n> ,
|
.BR transport_ssf=<n> ,
|
||||||
@ -617,7 +658,7 @@ set the minimum required Security Strength Factor (ssf) needed
|
|||||||
to grant access. The value should be positive integer.
|
to grant access. The value should be positive integer.
|
||||||
.SH THE <ACCESS> FIELD
|
.SH THE <ACCESS> FIELD
|
||||||
The field
|
The field
|
||||||
.B <access> ::= [self]{<level>|<priv>}
|
.B <access> ::= [[real]self]{<level>|<priv>}
|
||||||
determines the access level or the specific access privileges the
|
determines the access level or the specific access privileges the
|
||||||
.B who
|
.B who
|
||||||
field will have.
|
field will have.
|
||||||
@ -633,7 +674,12 @@ The modifier
|
|||||||
allows special operations like having a certain access level or privilege
|
allows special operations like having a certain access level or privilege
|
||||||
only in case the operation involves the name of the user that's requesting
|
only in case the operation involves the name of the user that's requesting
|
||||||
the access.
|
the access.
|
||||||
It implies the user that requests access is bound.
|
It implies the user that requests access is authorized.
|
||||||
|
The modifier
|
||||||
|
.B realself
|
||||||
|
refers to the authenticated DN as opposed to the authorized DN of the
|
||||||
|
.B self
|
||||||
|
modifier.
|
||||||
An example is the
|
An example is the
|
||||||
.B selfwrite
|
.B selfwrite
|
||||||
access to the member attribute of a group, which allows one to add/delete
|
access to the member attribute of a group, which allows one to add/delete
|
||||||
@ -662,7 +708,7 @@ access level disallows all access including disclosure on error.
|
|||||||
.LP
|
.LP
|
||||||
The
|
The
|
||||||
.B disclose
|
.B disclose
|
||||||
access level allows disclorure of information on error.
|
access level allows disclosure of information on error.
|
||||||
.LP
|
.LP
|
||||||
The
|
The
|
||||||
.B auth
|
.B auth
|
||||||
|
@ -1987,13 +1987,18 @@ acl_usage( void )
|
|||||||
"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
|
"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
|
||||||
"<attr> ::= <attrname> | entry | children\n",
|
"<attr> ::= <attrname> | entry | children\n",
|
||||||
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
|
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
|
||||||
|
"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
|
||||||
"\t[dnattr=<attrname>]\n"
|
"\t[dnattr=<attrname>]\n"
|
||||||
|
"\t[realdnattr=<attrname>]\n"
|
||||||
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
|
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
|
||||||
"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
|
"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
|
||||||
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
|
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
|
||||||
#ifdef SLAPD_ACI_ENABLED
|
#ifdef SLAPD_ACI_ENABLED
|
||||||
"\t[aci=<attrname>]\n"
|
"\t[aci=[<attrname>]]\n"
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef SLAP_DYNACL
|
||||||
|
"\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
|
||||||
|
#endif /* SLAP_DYNACL */
|
||||||
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
|
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
|
||||||
"<style> ::= exact | regex | base(Object)\n"
|
"<style> ::= exact | regex | base(Object)\n"
|
||||||
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
|
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
|
||||||
@ -2002,7 +2007,7 @@ acl_usage( void )
|
|||||||
"sub(tree) | children\n"
|
"sub(tree) | children\n"
|
||||||
"<peernamestyle> ::= exact | regex | ip | path\n"
|
"<peernamestyle> ::= exact | regex | ip | path\n"
|
||||||
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
|
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
|
||||||
"<access> ::= [self]{<level>|<priv>}\n"
|
"<access> ::= [[real]self]{<level>|<priv>}\n"
|
||||||
"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
|
"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
|
||||||
"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
|
"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
|
||||||
"<control> ::= [ stop | continue | break ]\n"
|
"<control> ::= [ stop | continue | break ]\n"
|
||||||
|
Loading…
Reference in New Issue
Block a user