4:46 p.m.
Hi
From the online doco re
Level Privileges Description
none = 0 no access
disclose = d needed for information disclosure on error
auth = dx needed to authenticate (bind)
compare = cdx needed to compare
search = scdx needed to apply search filters
read = rscdx needed to read search results
write = wrscdx needed to modify/rename
manage = mwrscdx needed to manage
I couldn't find out what the difference between manage and write is what does the M
allow for.
olcAccess: to dn.subtree="ou=Users,"
by dn.exact="cn=directory,ou=Roles," manage by * break
so for the subtree ou=User
I want to allow cn=directory to add / modify / delete any children of ou=Users. Reading
the doco its seems like I only need to give it write access, what can I do extra with
manage ?
Also for userPassword attr to write to it do I need to have the read or can I just have
=wd
Thanks
Alex
6:33 a.m.
On Dec 8, 2022, at 6:46 PM, Alex Samad - Yieldbroker
<Alex.Samad(a)yieldbroker.com> wrote:
Hi
From the online doco re
> Level Privileges Description
> none = 0 no access
> disclose = d needed for information disclosure on error
> auth = dx needed to authenticate (bind)
> compare = cdx needed to compare
> search = scdx needed to apply search filters
> read = rscdx needed to read search results
> write = wrscdx needed to modify/rename
> manage = mwrscdx needed to manage
I couldn't find out what the difference between manage and write is what does the M
allow for.
olcAccess: to dn.subtree="ou=Users,"
by dn.exact="cn=directory,ou=Roles," manage by * break
so for the subtree ou=User
I want to allow cn=directory to add / modify / delete any children of ou=Users. Reading
the doco its seems like I only need to give it write access, what can I do extra with
manage ?
Hello Alex,
```
man slapd.access
...
THE <ACCESS> FIELD
…
thus manage grants all access including administrative access. This access allows some
modifications which would otherwise be prohibited by the LDAP data model or the directory
schema, e.g. changing the structural objectclass of an entry, or modifying an operational
attribute that is defined as not user modifiable.
The write access is actually the combination of add and delete, which respectively
restrict the write privilege to add or delete the specified <what>.
```
Write access should suffice. You probably won’t need to grant service accounts manage
access. You can always add it later if need be.
Also for userPassword attr to write to it do I need to have the read or can I just have
=wd
``` man (cont)
The level access model relies on an incremental interpretation of the access privileges.
The possible levels are none, disclose, auth, compare, search, read, write, and manage.
Each access level implies all the preceding ones
```
Cheers
—
Shawn
Thanks
Alex
356
days inactive
357
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Alex Samad - Yieldbroker -
Shawn McKinney