[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7795) "manage" access right needs better description

--On Friday, January 31, 2014 5:11 PM +0000 michael@stroeder.com wrote:

> quanah@OpenLDAP.org wrote:
>> What does administrative access mean?
> I can't describe the full meaning, only a specific use case:
> In some deployments I grant certain admins the right to remove
> 'pwdHistory' attribute from an entry. Since this is an operational
> attribute one has to grant also manage privilege for letting the client
> remove the attribute in case it sends the Relax Rules control along with
> the modify request.
> (yes, web2ldap implements this particular use case ;-)
> Example:
> access to
>   attrs=pwdHistory
>     by group="cn=all-mighty admins,dc=example,dc=com" =zm
>     by * none
> AFAIK this also applies to altering other operational attributes by using
> Relax Rules control.
> Maybe you can take this as a start for a more general text.

Great example, thanks!



Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
Zimbra ::  the leader in open source messaging and collaboration