Commit cb16835f authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Misc. updates from HEAD

parent ba43f4a8
......@@ -65,6 +65,9 @@ library should connect. Each server's name can be specified as a
domain-style name or an IP address and optionally followed by a ':' and
the port number the ldap server is listening on. A space separated
list of hosts may be provided.
.B HOST
is deprecated in favor of
.BR URI .
.TP
.B PORT <port>
Specifies the default port used when connecting to LDAP servers(s).
......@@ -208,7 +211,14 @@ If OpenLDAP is built with support for Transport Layer Security, there
are more options you can specify.
.TP
.B TLS <level>
Specifies whether client connections should use TLS by default. The
Specifies whether client connections should use ldaps:// by default.
This option is deprecated in favor of the
.B URI
option. Using the
.B TLS
option may break some applications.
.LP
The
.B <level>
can be specified as one of the following keywords:
.RS
......
......@@ -424,7 +424,43 @@ or the (even more silly) example
.fi
.LP
which grants everybody search and compare privileges, and adds read
privileges to authenticated users.
privileges to authenticated clients.
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
DN
.BR style ,
to avoid possible
incorrect specifications of the access rules as well
as for performance (avoid unrequired regex matching when
an exact match suffices) reasons.
.LP
An adminisistrator might create a rule of the form:
.LP
.nf
access to dn="dc=example,dc=com"
by ...
.fi
.LP
expecting it to match all entries in the subtree "dc=example,dc=com".
However, this rule actually matches any DN which contains anywhere
the substring "dc=example,dc=com". That is, the rule matches both
"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
.LP
To match the desired subtree, the rule would be more precisely
written:
.LP
.nf
access to dn.regex="^(.+,)?dc=example,dc=com$$"
by ...
.fi
.LP
For performance reasons, it would be better to use the subtree style.
.LP
.nf
access to dn.subtree="dc=example,dc=com"
by ...
.fi
.LP
.SH FILES
.TP
ETCDIR/slapd.conf
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment