January 2014 - openldap-bugs

Re: (ITS#7795) "manage" access right needs better description

by michael＠stroeder.com

pierangelo.masarati(a)polimi.it wrote: > On 01/31/2014 06:44 PM, michael(a)stroeder.com wrote: >> pierangelo.masarati(a)polimi.it wrote: >>> On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote: >>>> What does administrative access mean? >>> >>> It allows write when write is granted and the "relax" control is >>> present. In practice, those who have "manage" access can perform those >>> normally "prohibited" operations described in draft-zeilenga-ldap-relax. >> >> I wish this explanation would catch all cases. >> >> I vaguely remember that before the birth of draft-zeilenga-ldap-relax some >> (overlays?) misused the Manage DSA IT control for that purpose. > > "manageDIT" was renamed to "relax" because it was too similar to > "manageDSAit". Yes, I know. I meant it literally mentioning "Manage DSA IT control". Ciao, Michael.

9 years, 8 months

1
0
0 / 0

Re: (ITS#7795) "manage" access right needs better description

by pierangelo.masarati＠polimi.it

On 01/31/2014 06:44 PM, michael(a)stroeder.com wrote: > pierangelo.masarati(a)polimi.it wrote: >> On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote: >>> What does administrative access mean? >> >> It allows write when write is granted and the "relax" control is >> present. In practice, those who have "manage" access can perform those >> normally "prohibited" operations described in draft-zeilenga-ldap-relax. > > I wish this explanation would catch all cases. > > I vaguely remember that before the birth of draft-zeilenga-ldap-relax some > (overlays?) misused the Manage DSA IT control for that purpose. "manageDIT" was renamed to "relax" because it was too similar to "manageDSAit". Besides, although its use is intrinsically related to performing administrative operations, it is specifically meant to work around rules that make sense from a data model point of view but may need to be circumvented *during* "special" operations. A clear example is the one in the draft, about turning a "person" objectClass into an "account" objectClass. Changing the structuralObjectClass of an object is not allowed by the data model; however, an administrator (i.e. someone with "manage" privileges) can do it using the "relax" control, thus making the entry inconsistent during the operation but perfectly consistent before *and* after. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano

9 years, 8 months

1
0
0 / 0

Re: (ITS#7795) "manage" access right needs better description

by quanah＠zimbra.com

--On Friday, January 31, 2014 5:36 PM +0000 quanah(a)zimbra.com wrote: Additional notes: [09:07] <hyc> manage access gives you permission to use the Relax control on a modify request [09:07] <hyc> to write to an attribute that is otherwise not user-writable [09:07] <hyc> only a small set of operational attributes are manageable [09:08] <hyc> createtimestamp, modifytimestamp, creatorsname, modifiersname, entryUUID, entryTTL [09:09] <hyc> otherwise, the relax control is useless [09:09] <hyc> hm, the ppolicy opattrs are also manageable -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 8 months

1
0
0 / 0

Re: (ITS#7795) "manage" access right needs better description

by michael＠stroeder.com

pierangelo.masarati(a)polimi.it wrote: > On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote: >> What does administrative access mean? > > It allows write when write is granted and the "relax" control is > present. In practice, those who have "manage" access can perform those > normally "prohibited" operations described in draft-zeilenga-ldap-relax. I wish this explanation would catch all cases. I vaguely remember that before the birth of draft-zeilenga-ldap-relax some (overlays?) misused the Manage DSA IT control for that purpose. Ciao, Michael.

9 years, 8 months

1
0
0 / 0

Re: (ITS#7795) "manage" access right needs better description

by quanah＠zimbra.com

--On Friday, January 31, 2014 5:11 PM +0000 michael(a)stroeder.com wrote: > quanah(a)OpenLDAP.org wrote: >> What does administrative access mean? > > I can't describe the full meaning, only a specific use case: > > In some deployments I grant certain admins the right to remove > 'pwdHistory' attribute from an entry. Since this is an operational > attribute one has to grant also manage privilege for letting the client > remove the attribute in case it sends the Relax Rules control along with > the modify request. > > (yes, web2ldap implements this particular use case ;-) > > Example: > > access to > attrs=pwdHistory > by group="cn=all-mighty admins,dc=example,dc=com" =zm > by * none > > AFAIK this also applies to altering other operational attributes by using > Relax Rules control. > > Maybe you can take this as a start for a more general text. Great example, thanks! --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 8 months

1
0
0 / 0

Re: (ITS#7795) "manage" access right needs better description

by quanah＠zimbra.com

--On Friday, January 31, 2014 6:08 PM +0100 Pierangelo Masarati <pierangelo.masarati(a)polimi.it> wrote: > On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote: >> Full_Name: Quanah Gibson-Mount >> Version: 2.4.39 >> OS: Linux 2.6 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (75.111.58.125) >> >> >> The documentation in the Admin guide and the man pages for the "manage" >> ACL setting has virtual no documentation. The only definitive statement >> is a very vague: >> >> " thus manage grants all access including administrative access" >> >> What does administrative access mean? > > It allows write when write is granted and the "relax" control is present. > In practice, those who have "manage" access can perform those normally > "prohibited" operations described in draft-zeilenga-ldap-relax. Excellent, thank you very much. ;) --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 8 months

1
0
0 / 0

Re: (ITS#7795) "manage" access right needs better description

by michael＠stroeder.com

quanah(a)OpenLDAP.org wrote: > What does administrative access mean? I can't describe the full meaning, only a specific use case: In some deployments I grant certain admins the right to remove 'pwdHistory' attribute from an entry. Since this is an operational attribute one has to grant also manage privilege for letting the client remove the attribute in case it sends the Relax Rules control along with the modify request. (yes, web2ldap implements this particular use case ;-) Example: access to attrs=pwdHistory by group="cn=all-mighty admins,dc=example,dc=com" =zm by * none AFAIK this also applies to altering other operational attributes by using Relax Rules control. Maybe you can take this as a start for a more general text. Ciao, Michael.

9 years, 8 months

1
0
0 / 0

Re: (ITS#7795) "manage" access right needs better description

by pierangelo.masarati＠polimi.it

On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.39 > OS: Linux 2.6 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (75.111.58.125) > > > The documentation in the Admin guide and the man pages for the "manage" ACL > setting has virtual no documentation. The only definitive statement is a very > vague: > > " thus manage grants all access including administrative access" > > What does administrative access mean? It allows write when write is granted and the "relax" control is present. In practice, those who have "manage" access can perform those normally "prohibited" operations described in draft-zeilenga-ldap-relax. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano

9 years, 8 months

1
0
0 / 0

(ITS#7795) "manage" access right needs better description

by quanah＠OpenLDAP.org

Full_Name: Quanah Gibson-Mount Version: 2.4.39 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.58.125) The documentation in the Admin guide and the man pages for the "manage" ACL setting has virtual no documentation. The only definitive statement is a very vague: " thus manage grants all access including administrative access" What does administrative access mean?

9 years, 8 months

1
0
0 / 0

(ITS#7794) RFE: Versioned LMDB shared library

by jstanek＠redhat.com

Full_Name: Jan Stanìk Version: LMDB 0.9.11 OS: Fedora 20 URL: Submission from: (NULL) (209.132.186.34) I'm trying to package LMDB for Fedora as possible system-wide replacement for Oracle's BerkeleyDB. The main trouble is that in current state the LMDB builds an unversioned liblmdb.so. I would like to propose to start versioning of liblmdb.so, so it would be possible to include it into ditribution without the possibility of sudden ABI break.

9 years, 8 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs January 2014