On 01/31/2014 06:44 PM, michael(a)stroeder.com wrote:
> On 01/31/2014 05:49 PM, quanah(a)OpenLDAP.org wrote:
>> What does administrative access mean?
> It allows write when write is granted and the "relax" control is
> present. In practice, those who have "manage" access can perform those
> normally "prohibited" operations described in draft-zeilenga-ldap-relax.
I wish this explanation would catch all cases.
I vaguely remember that before the birth of draft-zeilenga-ldap-relax some
(overlays?) misused the Manage DSA IT control for that purpose.
"manageDIT" was renamed to "relax" because it was too similar to
"manageDSAit". Besides, although its use is intrinsically related to
performing administrative operations, it is specifically meant to work
around rules that make sense from a data model point of view but may
need to be circumvented *during* "special" operations.
A clear example is the one in the draft, about turning a "person"
objectClass into an "account" objectClass. Changing the
structuralObjectClass of an object is not allowed by the data model;
however, an administrator (i.e. someone with "manage" privileges) can do
it using the "relax" control, thus making the entry inconsistent during
the operation but perfectly consistent before *and* after.
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano