What access privileges over a particular suffix are granted to
somebody
with the "manage" level that somebody with the "write" level does not
get?
As background, using 2.4.26:
This document specifies that somebody with the level "manage" gets
everything else:
http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to...
On the other hand, slapd.access(5) specifies that "manage grants all
access including administrative access. The write access is actually the
combination of add and delete, which respectively restrict the write
privilege to add or delete the specified <what>."
(I am very puzzled. It strikes me that once I can write (add/delete) any
entry in a subtree I effectively manage it.)
According to slapd.access(5), the "manage" privilege grants all usual
access privileges, plus administrative access. See for example
<draft-zeilenga-ldap-relax> and many more, e.g. writing (certain)
operational attributes and so.
p.