Improve authzFrom and authzTo docs

2b402a5f · Karl O. Pinc · Ondřej Kuzník · d3fca136 · 2b402a5f
Commit 2b402a5f authored Apr 28, 2020 by Karl O. Pinc Committed by Ondřej Kuzník Feb 17, 2021
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -265,19 +265,26 @@ portions must be absent, so that the search occurs locally on either
 .I authzFrom
 or 
 .IR authzTo .
+
+.LP
 The second form is a 
-.BR DN ,
-with the optional style modifiers
+.BR DN .
+The optional
+.B dnstyle
+modifiers
 .IR exact ,
 .IR onelevel ,
 .IR children ,
 and
 .I subtree
-for exact, onelevel, children and subtree matches, which cause 
+provide exact, onelevel, children and subtree matches, which cause 
 .I <pattern>
-to be normalized according to the DN normalization rules, or the special
+to be normalized according to the DN normalization rules.
+The special
+.B dnstyle
+modifier
 .I regex
-style, which causes the
+causes the
 .I <pattern>
 to be treated as a POSIX (''extended'') regular expression, as
 discussed in
@@ -287,38 +294,57 @@ and/or
 A pattern of
 .I *
 means any non-anonymous DN.
+
+.LP
 The third form is a SASL
-.BR id ,
-with the optional fields
+.BR id .
+The optional fields
 .I <mech>
 and
 .I <realm>
-that allow to specify a SASL
+allow specification of a SASL
 .BR mechanism ,
 and eventually a SASL
 .BR realm ,
 for those mechanisms that support one.
 The need to allow the specification of a mechanism is still debated, 
 and users are strongly discouraged to rely on this possibility.
-The fourth form is a group specification, consisting of the keyword
+
+.LP
+The fourth form is a group specification.
+It consists of the keyword
 .BR group ,
-optionally followed by the specification of the group
+optionally followed by the specification of
 .B objectClass
-and member
+and
 .BR attributeType .
+The
+.B objectClass
+defaults to
+.IR memberOf .
+The
+.B attributeType
+defaults to
+.IR member .
 The group with DN
 .B <pattern>
-is searched with base scope, and in case of match, the values of the
-member
+is searched with base scope, filtered on the specified
+.BR objectClass .
+The values of the resulting
 .B attributeType
 are searched for the asserted DN.
-For backwards compatibility, if no identity type is provided, i.e. only
+
+.LP
+The fifth form is provided for backwards compatibility.  If no identity
+type is provided, i.e. only
 .B <pattern>
 is present, an
 .I exact DN
 is assumed; as a consequence, 
 .B <pattern>
 is subjected to DN normalization.
+
+.LP
 Since the interpretation of
 .I authzFrom
 and