On Dec 8, 2022, at 6:46 PM, Alex Samad - Yieldbroker Alex.Samad@yieldbroker.com wrote:

Hi

From the online doco re

...

Level Privileges Description none = 0 no access disclose = d needed for information disclosure on error auth = dx needed to authenticate (bind) compare = cdx needed to compare search = scdx needed to apply search filters read = rscdx needed to read search results write = wrscdx needed to modify/rename manage = mwrscdx needed to manage

I couldn't find out what the difference between manage and write is what does the M allow for.

olcAccess: to dn.subtree="ou=Users," by dn.exact="cn=directory,ou=Roles," manage by * break

so for the subtree ou=User

I want to allow cn=directory to add / modify / delete any children of ou=Users. Reading the doco its seems like I only need to give it write access, what can I do extra with manage ?

Hello Alex,

``` man slapd.access

... THE <ACCESS> FIELD …

thus manage grants all access including administrative access. This access allows some modifications which would otherwise be prohibited by the LDAP data model or the directory schema, e.g. changing the structural objectclass of an entry, or modifying an operational attribute that is defined as not user modifiable.

The write access is actually the combination of add and delete, which respectively restrict the write privilege to add or delete the specified <what>. ```

Write access should suffice. You probably won’t need to grant service accounts manage access. You can always add it later if need be.

Also for userPassword attr to write to it do I need to have the read or can I just have =wd

``` man (cont) The level access model relies on an incremental interpretation of the access privileges. The possible levels are none, disclose, auth, compare, search, read, write, and manage. Each access level implies all the preceding ones ```

Cheers

— Shawn

Thanks Alex