Commit 43fc90ae authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Update RFC references

fix "require" inheritance and handling of "none" (ITS#4574)
Add access control note to authz-regexp discussion
ITS#4613 note that lastmod also controls entryCSN and entryUUID
parent 71f186be
......@@ -130,8 +130,8 @@ a trailing `-') matches all options starting with that name, as well
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
RFC 2251 reserves options beginning with `x-' for private experiments.
Other options should be registered with IANA, see RFC 3383 section 3.4.
RFC 4520 reserves options beginning with `x-' for private experiments.
Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
.HP
......@@ -150,8 +150,8 @@ option, not a tagging option.
[NO\-USER\-MODIFICATION]\
[USAGE\ <attributeUsage>]\ )"
.RS
Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
......@@ -371,6 +371,8 @@ e.g.
.RE
The protocol portion of the URI must be strictly
.BR ldap .
Note that this search is subject to access controls. Specifically,
the authentication identity must have "auth" access in the subject.
Multiple
.B authz-regexp
......@@ -428,8 +430,8 @@ dissallow the StartTLS operation if authenticated (see also
[MAY\ <oids>]\
[NOT\ <oids>]\ )"
.RS
Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
......@@ -633,8 +635,8 @@ the path is colon-separated but this depends on the operating system.
[{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
[MUST\ <oids>] [MAY\ <oids>] )"
.RS
Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the object class OID.
(See the
.B
......@@ -735,7 +737,9 @@ waits before checking the replogfile for changes.
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
The directive may be specified globally and/or per-database.
The directive may be specified globally and/or per-database;
databases inherit global conditions, so per-database specifications
are additive.
.B bind
requires bind operation prior to directory operations.
.B LDAPv3
......@@ -749,8 +753,9 @@ requires strong authentication prior to directory operations.
The strong keyword allows protected "simple" authentication
as well as SASL authentication.
.B none
may be used to require no conditions (useful for clearly globally
set conditions within a particular database).
may be used to require no conditions (useful to clear out globally
set conditions within a particular database); it must occur first
in the list of conditions.
.TP
.B reverse-lookup on | off
Enable/disable client name unverified reverse lookup (default is
......@@ -1072,7 +1077,9 @@ Controls whether
.B slapd
will automatically maintain the
modifiersName, modifyTimestamp, creatorsName, and
createTimestamp attributes for entries. By default, lastmod is on.
createTimestamp attributes for entries. It also controls
the entryCSN and entryUUID attributes, which are needed
by the syncrepl provider. By default, lastmod is on.
.TP
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment