[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7795) "manage" access right needs better description

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7795) "manage" access right needs better description
From: michael@stroeder.com
Date: Fri, 31 Jan 2014 17:11:46 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

quanah@OpenLDAP.org wrote:
> What does administrative access mean?

I can't describe the full meaning, only a specific use case:

In some deployments I grant certain admins the right to remove 'pwdHistory'
attribute from an entry. Since this is an operational attribute one has to
grant also manage privilege for letting the client remove the attribute in
case it sends the Relax Rules control along with the modify request.

(yes, web2ldap implements this particular use case ;-)

Example:

access to
  attrs=pwdHistory
    by group="cn=all-mighty admins,dc=example,dc=com" =zm
    by * none

AFAIK this also applies to altering other operational attributes by using
Relax Rules control.

Maybe you can take this as a start for a more general text.

Ciao, Michael.

Prev by Date: Re: (ITS#7795) "manage" access right needs better description
Next by Date: Re: (ITS#7795) "manage" access right needs better description
Index(es):
- Chronological
- Thread