moved from Incoming to Documentation
Full_Name: Quanah Gibson-Mount Version: 2.4.39 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.58.125) The documentation in the Admin guide and the man pages for the "manage" ACL setting has virtual no documentation. The only definitive statement is a very vague: " thus manage grants all access including administrative access" What does administrative access mean?
On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.39 > OS: Linux 2.6 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (75.111.58.125) > > > The documentation in the Admin guide and the man pages for the "manage" ACL > setting has virtual no documentation. The only definitive statement is a very > vague: > > " thus manage grants all access including administrative access" > > What does administrative access mean? It allows write when write is granted and the "relax" control is present. In practice, those who have "manage" access can perform those normally "prohibited" operations described in draft-zeilenga-ldap-relax. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
quanah@OpenLDAP.org wrote: > What does administrative access mean? I can't describe the full meaning, only a specific use case: In some deployments I grant certain admins the right to remove 'pwdHistory' attribute from an entry. Since this is an operational attribute one has to grant also manage privilege for letting the client remove the attribute in case it sends the Relax Rules control along with the modify request. (yes, web2ldap implements this particular use case ;-) Example: access to attrs=pwdHistory by group="cn=all-mighty admins,dc=example,dc=com" =zm by * none AFAIK this also applies to altering other operational attributes by using Relax Rules control. Maybe you can take this as a start for a more general text. Ciao, Michael.
--On Friday, January 31, 2014 6:08 PM +0100 Pierangelo Masarati <pierangelo.masarati@polimi.it> wrote: > On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote: >> Full_Name: Quanah Gibson-Mount >> Version: 2.4.39 >> OS: Linux 2.6 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (75.111.58.125) >> >> >> The documentation in the Admin guide and the man pages for the "manage" >> ACL setting has virtual no documentation. The only definitive statement >> is a very vague: >> >> " thus manage grants all access including administrative access" >> >> What does administrative access mean? > > It allows write when write is granted and the "relax" control is present. > In practice, those who have "manage" access can perform those normally > "prohibited" operations described in draft-zeilenga-ldap-relax. Excellent, thank you very much. ;) --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Friday, January 31, 2014 5:11 PM +0000 michael@stroeder.com wrote: > quanah@OpenLDAP.org wrote: >> What does administrative access mean? > > I can't describe the full meaning, only a specific use case: > > In some deployments I grant certain admins the right to remove > 'pwdHistory' attribute from an entry. Since this is an operational > attribute one has to grant also manage privilege for letting the client > remove the attribute in case it sends the Relax Rules control along with > the modify request. > > (yes, web2ldap implements this particular use case ;-) > > Example: > > access to > attrs=pwdHistory > by group="cn=all-mighty admins,dc=example,dc=com" =zm > by * none > > AFAIK this also applies to altering other operational attributes by using > Relax Rules control. > > Maybe you can take this as a start for a more general text. Great example, thanks! --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
pierangelo.masarati@polimi.it wrote: > On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote: >> What does administrative access mean? > > It allows write when write is granted and the "relax" control is > present. In practice, those who have "manage" access can perform those > normally "prohibited" operations described in draft-zeilenga-ldap-relax. I wish this explanation would catch all cases. I vaguely remember that before the birth of draft-zeilenga-ldap-relax some (overlays?) misused the Manage DSA IT control for that purpose. Ciao, Michael.
--On Friday, January 31, 2014 5:36 PM +0000 quanah@zimbra.com wrote: Additional notes: [09:07] <hyc> manage access gives you permission to use the Relax control on a modify request [09:07] <hyc> to write to an attribute that is otherwise not user-writable [09:07] <hyc> only a small set of operational attributes are manageable [09:08] <hyc> createtimestamp, modifytimestamp, creatorsname, modifiersname, entryUUID, entryTTL [09:09] <hyc> otherwise, the relax control is useless [09:09] <hyc> hm, the ppolicy opattrs are also manageable -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 01/31/2014 06:44 PM, michael@stroeder.com wrote: > pierangelo.masarati@polimi.it wrote: >> On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote: >>> What does administrative access mean? >> >> It allows write when write is granted and the "relax" control is >> present. In practice, those who have "manage" access can perform those >> normally "prohibited" operations described in draft-zeilenga-ldap-relax. > > I wish this explanation would catch all cases. > > I vaguely remember that before the birth of draft-zeilenga-ldap-relax some > (overlays?) misused the Manage DSA IT control for that purpose. "manageDIT" was renamed to "relax" because it was too similar to "manageDSAit". Besides, although its use is intrinsically related to performing administrative operations, it is specifically meant to work around rules that make sense from a data model point of view but may need to be circumvented *during* "special" operations. A clear example is the one in the draft, about turning a "person" objectClass into an "account" objectClass. Changing the structuralObjectClass of an object is not allowed by the data model; however, an administrator (i.e. someone with "manage" privileges) can do it using the "relax" control, thus making the entry inconsistent during the operation but perfectly consistent before *and* after. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
pierangelo.masarati@polimi.it wrote: > On 01/31/2014 06:44 PM, michael@stroeder.com wrote: >> pierangelo.masarati@polimi.it wrote: >>> On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote: >>>> What does administrative access mean? >>> >>> It allows write when write is granted and the "relax" control is >>> present. In practice, those who have "manage" access can perform those >>> normally "prohibited" operations described in draft-zeilenga-ldap-relax. >> >> I wish this explanation would catch all cases. >> >> I vaguely remember that before the birth of draft-zeilenga-ldap-relax some >> (overlays?) misused the Manage DSA IT control for that purpose. > > "manageDIT" was renamed to "relax" because it was too similar to > "manageDSAit". Yes, I know. I meant it literally mentioning "Manage DSA IT control". Ciao, Michael.
*** Issue 8283 has been marked as a duplicate of this issue. ***
in master
Commits: • 70a7f517 by Howard Chu at 2021-02-18T13:23:47+00:00 ITS#7795 more detail for "manage" priv