[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7795) "manage" access right needs better description

On 01/31/2014 06:44 PM, michael@stroeder.com wrote:
> pierangelo.masarati@polimi.it wrote:
>> On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote:
>>> What does administrative access mean?
>> It allows write when write is granted and the "relax" control is
>> present.  In practice, those who have "manage" access can perform those
>> normally "prohibited" operations described in draft-zeilenga-ldap-relax.
> I wish this explanation would catch all cases.
> I vaguely remember that before the birth of draft-zeilenga-ldap-relax some
> (overlays?) misused the Manage DSA IT control for that purpose.

"manageDIT" was renamed to "relax" because it was too similar to 
"manageDSAit".  Besides, although its use is intrinsically related to 
performing administrative operations, it is specifically meant to work 
around rules that make sense from a data model point of view but may 
need to be circumvented *during* "special" operations.

A clear example is the one in the draft, about turning a "person" 
objectClass into an "account" objectClass.  Changing the 
structuralObjectClass of an object is not allowed by the data model; 
however, an administrator (i.e. someone with "manage" privileges) can do 
it using the "relax" control, thus making the entry inconsistent during 
the operation but perfectly consistent before *and* after.


Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano