On Mon, Oct 14, 2024 at 06:47:46AM +0000, Windl, Ulrich wrote:
Hi!
Basically I have the same question as unanswered https://serverfault.com/q/998893/407952: What is the difference between write and manage?
It's right there in the manpage[0]: Each access level implies all the preceding ones, thus manage grants all access including administrative access. This access allows some modifications which would otherwise be prohibited by the LDAP data model or the directory schema, e.g. changing the structural objectclass of an entry, or modifying an operational attribute that is defined as not user modifiable.
I have a use with write permissions for pwdGraceUseTime, and deleting that attribute requires "-e relax" for ldapmodify. However when my user ties it, it gets a ldap_modify: Insufficient access (50)
Yes, because the schema[1] explicitly says it's not meant to be modifiable (and the Relax control may be used to, well, "relax" this kind of restriction). And that's where the manage permissions come in.
[0]. https://openldap.org/software/man.cgi?query=slapd.access [1]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy#name...