[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7795) "manage" access right needs better description
--On Friday, January 31, 2014 5:11 PM +0000 michael@stroeder.com wrote:
> quanah@OpenLDAP.org wrote:
>> What does administrative access mean?
>
> I can't describe the full meaning, only a specific use case:
>
> In some deployments I grant certain admins the right to remove
> 'pwdHistory' attribute from an entry. Since this is an operational
> attribute one has to grant also manage privilege for letting the client
> remove the attribute in case it sends the Relax Rules control along with
> the modify request.
>
> (yes, web2ldap implements this particular use case ;-)
>
> Example:
>
> access to
> attrs=pwdHistory
> by group="cn=all-mighty admins,dc=example,dc=com" =zm
> by * none
>
> AFAIK this also applies to altering other operational attributes by using
> Relax Rules control.
>
> Maybe you can take this as a start for a more general text.
Great example, thanks!
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration