aboutsummaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2020-02-14 21:23:01 +0100
committerAlex Auvolat <alex@adnab.me>2020-02-14 21:23:01 +0100
commitfd6a555216c82ac00f269c3ca3b7ab9b5d5184f0 (patch)
tree7a3f22a38c1e19c6cbe05ac025cacfe218831383 /README.md
parent81328aa321e277adf27e91a61c1f13dab2df9fde (diff)
downloadbottin-fd6a555216c82ac00f269c3ca3b7ab9b5d5184f0.tar.gz
bottin-fd6a555216c82ac00f269c3ca3b7ab9b5d5184f0.zip
Ensure objects have an objectclass property
Diffstat (limited to 'README.md')
-rw-r--r--README.md2
1 files changed, 1 insertions, 1 deletions
diff --git a/README.md b/README.md
index 7b299aa..f37d884 100644
--- a/README.md
+++ b/README.md
@@ -112,7 +112,7 @@ A rule is a string composed of five fields separated by `:`. The fields are the
1. The name of the user that must be bound (logged in) for the rule to apply. May contain wildcards such as `*` (see the format used by Go's `path.Match`). The special name `ANONYMOUS` applies to clients before they bind to an LDAP entity.
2. The groups that the user must be a part of, separated by spaces. Wildcards may also be used. If several groups (or wildcard group patterns) are specified, for each pattern the user must be part of a group that matches it.
-3. The action, a subset of `bind`, `read`, `add`, `delete`, `modify` separated by spaces.
+3. The action, a subset of `bind`, `read`, `add`, `delete`, `modify`, `modifyAdd` separated by spaces. `modifyAdd` is a special value that only authorizes modifications that add new values to a given attribute. This can be used to allow users to add other users to a group but not remove users from the group.
4. The target entity of the action as a pattern that may contain wildcards. The special word `SELF` is replaced by the entity name of the bound user before trying to match.
5. The allowed attributes for a read, add or modify operation. This is specified as a list of patterns to include and exclude attributes, separated by spaces. A pattern that starts by `!` is an exclude pattern, otherwise it is an include pattern. To read/write an attribute, it has to match at least one include pattern and not match any exclude pattern. Delete operations do not check for any attribute, thus as soon as `delete` is included in the allowed actions, the right to delete entities is granted.