From 111deb128ef334534924d368554f7751187044dd Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Fri, 8 Apr 2005 18:41:13 +0000
Subject: [PATCH] partial fulfilment of ITS#3639; need to check other backends
 thoroughly

---
 doc/man/man5/slapd.access.5 | 40 +++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index cfc7427d2a..c4b02a9d31 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -920,6 +920,46 @@ privileges are also required on the
 attribute of the authorizing identity and/or on the 
 .B authzFrom
 attribute of the authorized identity.
+
+.LP
+Some backends do not honor all the above rules.  In detail:
+
+.TP
+.B bacl-ldap/back-meta
+\fIdo not check\fP
+.B write (=w)
+access, since it is delegated to the remote host(s) serving
+the naming context.
+The same applies to checking
+.B search (=s)
+access to the 
+.B entry
+pseudo-attribute of the
+.B searchBase 
+of a search operation, 
+.B search (=s)
+access to the attributes used in the
+.BR searchFilter ,
+and 
+.B disclose (=d)
+access to the
+.B entry
+pseudo-attribute of any object in case of error: all those checks 
+are delegated to the remote host(s).
+In any case,
+.B read (=r) 
+access is honored locally by the frontend.
+
+.TP
+.B back-shell
+requires
+.B write (=w)
+access to the 
+.B entry 
+pseudo-attribute for the modify operation; in the meanwhile, 
+\fIwrite access to the specific attributes that are modified
+is not checked\fP.
+
 .SH CAVEATS
 It is strongly recommended to explicitly use the most appropriate
 .B <dnstyle>
-- 
GitLab