ITS#5566

c0611d59 · Quanah Gibson-Mount · 8cfd6909 · c0611d59 · c0611d59
Commit c0611d59 authored 16 years ago by Quanah Gibson-Mount
--- a/CHANGES
+++ b/CHANGES
@@ -13,6 +13,7 @@ OpenLDAP 2.4.11 Engineering
 		Fixed test048 to skip if threads is not available (ITS#5529)
 	Documentation
 		Added slapo-pcache(5) sizelimit caching (ITS#5559)
+		Added slapd-access(5) add and delete privs (ITS#5566)
 		admin24 GnuTLS documentation (ITS#5554)

 OpenLDAP 2.4.10 Release (2008/06/08)

--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -709,8 +709,8 @@ field will have.
 Its component are defined as
 .LP
 .nf
-	<level> ::= none|disclose|auth|compare|search|read|write|manage
-	<priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+	<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
+	<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
 .fi
 .LP
 The modifier
@@ -740,11 +740,22 @@ The possible levels are
 .BR compare ,
 .BR search ,
 .BR read ,
+.BR write ,
 and
-.BR write .
+.BR manage .
 Each access level implies all the preceding ones, thus 
 .B manage
-grants all access including administrative access,
+grants all access including administrative access.
+The 
+.BR write
+access is actually the combination of
+.BR add
+and
+.BR delete ,
+which respectively restrict the write privilege to add or delete
+the specified
+.BR <what> .
+
 .LP
 The
 .B none 
@@ -781,6 +792,10 @@ The privileges are
 for manage,
 .B w
 for write,
+.B a
+for add,
+.B z
+for delete,
 .B r
 for read,
 .B s 
@@ -794,6 +809,10 @@ for disclose.
 More than one of the above privileges can be added in one statement.
 .B 0
 indicates no privileges and is used only by itself (e.g., +0).
+Note that
+.B +az
+is equivalent to
+.BR +w .
 .LP
 If no access is given, it defaults to 
 .BR +0 .
@@ -878,15 +897,17 @@ the BDB and HDB backends.   Requirements for other backends may
 The
 .B add
 operation requires
-.B write (=w)
+.B add (=a)
 privileges on the pseudo-attribute 
 .B entry
 of the entry being added, and 
-.B write (=w)
+.B add (=a)
 privileges on the pseudo-attribute
 .B children
 of the entry's parent.
-When adding the suffix entry of a database, write access to
+When adding the suffix entry of a database,
+.B add
+access to
 .B children
 of the empty DN ("") is required.

@@ -909,11 +930,11 @@ privileges on the attribute that is being compared.
 The
 .B delete
 operation requires
-.B write (=w)
+.B delete (=z)
 privileges on the pseudo-attribute
 .B entry 
 of the entry being deleted, and
-.B write (=w)
+.B delete (=d)
 privileges on the
 .B children
 pseudo-attribute of the entry's parent.
@@ -924,6 +945,18 @@ The
 operation requires 
 .B write (=w)
 privileges on the attributes being modified.
+In detail, 
+.B add (=a)
+is required to add new values,
+.B delete (=z)
+is required to delete existing values,
+and both
+.B delete
+and
+.BR "add (=az)" ,
+or
+.BR "write (=w)" ,
+are required to replace existing values.

 .LP
 The
@@ -933,13 +966,17 @@ operation requires
 privileges on the pseudo-attribute
 .B entry
 of the entry whose relative DN is being modified,
-.B write (=w)
+.B delete (=z)
 privileges on the pseudo-attribute
 .B children
-of the old and new entry's parents, and
-.B write (=w)
+of the old entry's parents,
+.B add (=a)
+privileges on the pseudo-attribute
+.B children
+of the new entry's parents, and
+.B add (=a)
 privileges on the attributes that are present in the new relative DN.
-.B Write (=w)
+.B Delete (=z)
 privileges are also required on the attributes that are present 
 in the old relative DN if 
 .B deleteoldrdn