[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: manage vs write

To: "Christopher Wood" <christopher_wood@pobox.com>
Subject: Re: manage vs write
From: masarati@aero.polimi.it
Date: Wed, 7 Sep 2011 22:36:05 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <20110907194134.GA1219@iniquitous.lan>
References: <20110907194134.GA1219@iniquitous.lan>
User-agent: SquirrelMail/1.4.15

> What access privileges over a particular suffix are granted to somebody
> with the "manage" level that somebody with the "write" level does not get?
>
>
>
> As background, using 2.4.26:
>
> This document specifies that somebody with the level "manage" gets
> everything else:
>
> http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20grant
>
> On the other hand, slapd.access(5) specifies that "manage grants all
> access including administrative  access. The write access is actually the
> combination of add and delete, which respectively restrict  the  write
> privilege  to  add  or delete the specified <what>."
>
> (I am very puzzled. It strikes me that once I can write (add/delete) any
> entry in a subtree I effectively manage it.)

According to slapd.access(5), the "manage" privilege grants all usual
access privileges, plus administrative access.  See for example
<draft-zeilenga-ldap-relax> and many more, e.g. writing (certain)
operational attributes and so.

p.

References:
- manage vs write
  - From: Christopher Wood <christopher_wood@pobox.com>

Prev by Date: Re: How to replace account with inetOrgPerson?
Next by Date: Re: Disable Anonymous Access
Index(es):
- Chronological
- Thread