[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7795) "manage" access right needs better description

quanah@OpenLDAP.org wrote:
> What does administrative access mean?

I can't describe the full meaning, only a specific use case:

In some deployments I grant certain admins the right to remove 'pwdHistory'
attribute from an entry. Since this is an operational attribute one has to
grant also manage privilege for letting the client remove the attribute in
case it sends the Relax Rules control along with the modify request.

(yes, web2ldap implements this particular use case ;-)


access to
    by group="cn=all-mighty admins,dc=example,dc=com" =zm
    by * none

AFAIK this also applies to altering other operational attributes by using
Relax Rules control.

Maybe you can take this as a start for a more general text.

Ciao, Michael.