[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7795) "manage" access right needs better description

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7795) "manage" access right needs better description
From: quanah@zimbra.com
Date: Fri, 31 Jan 2014 17:36:55 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

--On Friday, January 31, 2014 5:11 PM +0000 michael@stroeder.com wrote:

> quanah@OpenLDAP.org wrote:
>> What does administrative access mean?
>
> I can't describe the full meaning, only a specific use case:
>
> In some deployments I grant certain admins the right to remove
> 'pwdHistory' attribute from an entry. Since this is an operational
> attribute one has to grant also manage privilege for letting the client
> remove the attribute in case it sends the Relax Rules control along with
> the modify request.
>
> (yes, web2ldap implements this particular use case ;-)
>
> Example:
>
> access to
>   attrs=pwdHistory
>     by group="cn=all-mighty admins,dc=example,dc=com" =zm
>     by * none
>
> AFAIK this also applies to altering other operational attributes by using
> Relax Rules control.
>
> Maybe you can take this as a start for a more general text.

Great example, thanks!

--Quanah


--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Prev by Date: Re: (ITS#7795) "manage" access right needs better description
Next by Date: Re: (ITS#7795) "manage" access right needs better description
Index(es):
- Chronological
- Thread