Re: (ITS#7795) "manage" access right needs better description
by michael@stroeder.com
pierangelo.masarati(a)polimi.it wrote:
> On 01/31/2014 06:44 PM, michael(a)stroeder.com wrote:
>> pierangelo.masarati(a)polimi.it wrote:
>>> On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote:
>>>> What does administrative access mean?
>>>
>>> It allows write when write is granted and the "relax" control is
>>> present. In practice, those who have "manage" access can perform those
>>> normally "prohibited" operations described in draft-zeilenga-ldap-relax.
>>
>> I wish this explanation would catch all cases.
>>
>> I vaguely remember that before the birth of draft-zeilenga-ldap-relax some
>> (overlays?) misused the Manage DSA IT control for that purpose.
>
> "manageDIT" was renamed to "relax" because it was too similar to
> "manageDSAit".
Yes, I know. I meant it literally mentioning "Manage DSA IT control".
Ciao, Michael.
9 years, 8 months
Re: (ITS#7795) "manage" access right needs better description
by pierangelo.masarati@polimi.it
On 01/31/2014 06:44 PM, michael(a)stroeder.com wrote:
> pierangelo.masarati(a)polimi.it wrote:
>> On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote:
>>> What does administrative access mean?
>>
>> It allows write when write is granted and the "relax" control is
>> present. In practice, those who have "manage" access can perform those
>> normally "prohibited" operations described in draft-zeilenga-ldap-relax.
>
> I wish this explanation would catch all cases.
>
> I vaguely remember that before the birth of draft-zeilenga-ldap-relax some
> (overlays?) misused the Manage DSA IT control for that purpose.
"manageDIT" was renamed to "relax" because it was too similar to
"manageDSAit". Besides, although its use is intrinsically related to
performing administrative operations, it is specifically meant to work
around rules that make sense from a data model point of view but may
need to be circumvented *during* "special" operations.
A clear example is the one in the draft, about turning a "person"
objectClass into an "account" objectClass. Changing the
structuralObjectClass of an object is not allowed by the data model;
however, an administrator (i.e. someone with "manage" privileges) can do
it using the "relax" control, thus making the entry inconsistent during
the operation but perfectly consistent before *and* after.
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano
9 years, 8 months
Re: (ITS#7795) "manage" access right needs better description
by quanah@zimbra.com
--On Friday, January 31, 2014 5:36 PM +0000 quanah(a)zimbra.com wrote:
Additional notes:
[09:07] <hyc> manage access gives you permission to use the Relax control
on a modify request
[09:07] <hyc> to write to an attribute that is otherwise not user-writable
[09:07] <hyc> only a small set of operational attributes are manageable
[09:08] <hyc> createtimestamp, modifytimestamp, creatorsname,
modifiersname, entryUUID, entryTTL
[09:09] <hyc> otherwise, the relax control is useless
[09:09] <hyc> hm, the ppolicy opattrs are also manageable
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years, 8 months
Re: (ITS#7795) "manage" access right needs better description
by michael@stroeder.com
pierangelo.masarati(a)polimi.it wrote:
> On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote:
>> What does administrative access mean?
>
> It allows write when write is granted and the "relax" control is
> present. In practice, those who have "manage" access can perform those
> normally "prohibited" operations described in draft-zeilenga-ldap-relax.
I wish this explanation would catch all cases.
I vaguely remember that before the birth of draft-zeilenga-ldap-relax some
(overlays?) misused the Manage DSA IT control for that purpose.
Ciao, Michael.
9 years, 8 months
Re: (ITS#7795) "manage" access right needs better description
by quanah@zimbra.com
--On Friday, January 31, 2014 5:11 PM +0000 michael(a)stroeder.com wrote:
> quanah(a)OpenLDAP.org wrote:
>> What does administrative access mean?
>
> I can't describe the full meaning, only a specific use case:
>
> In some deployments I grant certain admins the right to remove
> 'pwdHistory' attribute from an entry. Since this is an operational
> attribute one has to grant also manage privilege for letting the client
> remove the attribute in case it sends the Relax Rules control along with
> the modify request.
>
> (yes, web2ldap implements this particular use case ;-)
>
> Example:
>
> access to
> attrs=pwdHistory
> by group="cn=all-mighty admins,dc=example,dc=com" =zm
> by * none
>
> AFAIK this also applies to altering other operational attributes by using
> Relax Rules control.
>
> Maybe you can take this as a start for a more general text.
Great example, thanks!
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years, 8 months
Re: (ITS#7795) "manage" access right needs better description
by quanah@zimbra.com
--On Friday, January 31, 2014 6:08 PM +0100 Pierangelo Masarati
<pierangelo.masarati(a)polimi.it> wrote:
> On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.4.39
>> OS: Linux 2.6
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (75.111.58.125)
>>
>>
>> The documentation in the Admin guide and the man pages for the "manage"
>> ACL setting has virtual no documentation. The only definitive statement
>> is a very vague:
>>
>> " thus manage grants all access including administrative access"
>>
>> What does administrative access mean?
>
> It allows write when write is granted and the "relax" control is present.
> In practice, those who have "manage" access can perform those normally
> "prohibited" operations described in draft-zeilenga-ldap-relax.
Excellent, thank you very much. ;)
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years, 8 months
Re: (ITS#7795) "manage" access right needs better description
by michael@stroeder.com
quanah(a)OpenLDAP.org wrote:
> What does administrative access mean?
I can't describe the full meaning, only a specific use case:
In some deployments I grant certain admins the right to remove 'pwdHistory'
attribute from an entry. Since this is an operational attribute one has to
grant also manage privilege for letting the client remove the attribute in
case it sends the Relax Rules control along with the modify request.
(yes, web2ldap implements this particular use case ;-)
Example:
access to
attrs=pwdHistory
by group="cn=all-mighty admins,dc=example,dc=com" =zm
by * none
AFAIK this also applies to altering other operational attributes by using
Relax Rules control.
Maybe you can take this as a start for a more general text.
Ciao, Michael.
9 years, 8 months
Re: (ITS#7795) "manage" access right needs better description
by pierangelo.masarati@polimi.it
On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.39
> OS: Linux 2.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (75.111.58.125)
>
>
> The documentation in the Admin guide and the man pages for the "manage" ACL
> setting has virtual no documentation. The only definitive statement is a very
> vague:
>
> " thus manage grants all access including administrative access"
>
> What does administrative access mean?
It allows write when write is granted and the "relax" control is
present. In practice, those who have "manage" access can perform those
normally "prohibited" operations described in draft-zeilenga-ldap-relax.
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano
9 years, 8 months
(ITS#7795) "manage" access right needs better description
by quanah@OpenLDAP.org
Full_Name: Quanah Gibson-Mount
Version: 2.4.39
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.58.125)
The documentation in the Admin guide and the man pages for the "manage" ACL
setting has virtual no documentation. The only definitive statement is a very
vague:
" thus manage grants all access including administrative access"
What does administrative access mean?
9 years, 8 months
(ITS#7794) RFE: Versioned LMDB shared library
by jstanek@redhat.com
Full_Name: Jan Stanìk
Version: LMDB 0.9.11
OS: Fedora 20
URL:
Submission from: (NULL) (209.132.186.34)
I'm trying to package LMDB for Fedora as possible system-wide
replacement for Oracle's BerkeleyDB. The main trouble is that in current
state the LMDB builds an unversioned liblmdb.so.
I would like to propose to start versioning of liblmdb.so, so it would be
possible to include it into ditribution without the possibility of sudden ABI
break.
9 years, 8 months