What access privileges over a particular suffix are granted to somebody with the "manage" level that somebody with the "write" level does not get?
As background, using 2.4.26:
This document specifies that somebody with the level "manage" gets everything else:
http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20...
On the other hand, slapd.access(5) specifies that "manage grants all access including administrative access. The write access is actually the combination of add and delete, which respectively restrict the write privilege to add or delete the specified <what>."
(I am very puzzled. It strikes me that once I can write (add/delete) any entry in a subtree I effectively manage it.)
What access privileges over a particular suffix are granted to somebody with the "manage" level that somebody with the "write" level does not get?
As background, using 2.4.26:
This document specifies that somebody with the level "manage" gets everything else:
http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20...
On the other hand, slapd.access(5) specifies that "manage grants all access including administrative access. The write access is actually the combination of add and delete, which respectively restrict the write privilege to add or delete the specified <what>."
(I am very puzzled. It strikes me that once I can write (add/delete) any entry in a subtree I effectively manage it.)
According to slapd.access(5), the "manage" privilege grants all usual access privileges, plus administrative access. See for example <draft-zeilenga-ldap-relax> and many more, e.g. writing (certain) operational attributes and so.
p.
openldap-technical@openldap.org
-
Christopher Wood -
masaratiļ¼ aero.polimi.it