On 01/31/2014 06:44 PM, michael@stroeder.com wrote:
pierangelo.masarati@polimi.it wrote:
On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote:
What does administrative access mean?
It allows write when write is granted and the "relax" control is present. In practice, those who have "manage" access can perform those normally "prohibited" operations described in draft-zeilenga-ldap-relax.
I wish this explanation would catch all cases.
I vaguely remember that before the birth of draft-zeilenga-ldap-relax some (overlays?) misused the Manage DSA IT control for that purpose.
"manageDIT" was renamed to "relax" because it was too similar to "manageDSAit". Besides, although its use is intrinsically related to performing administrative operations, it is specifically meant to work around rules that make sense from a data model point of view but may need to be circumvented *during* "special" operations.
A clear example is the one in the draft, about turning a "person" objectClass into an "account" objectClass. Changing the structuralObjectClass of an object is not allowed by the data model; however, an administrator (i.e. someone with "manage" privileges) can do it using the "relax" control, thus making the entry inconsistent during the operation but perfectly consistent before *and* after.
p.
-
pierangelo.masarati@polimi.it