[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: manage vs write

> What access privileges over a particular suffix are granted to somebody
> with the "manage" level that somebody with the "write" level does not get?
> As background, using 2.4.26:
> This document specifies that somebody with the level "manage" gets
> everything else:
> http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20grant
> On the other hand, slapd.access(5) specifies that "manage grants all
> access including administrative  access. The write access is actually the
> combination of add and delete, which respectively restrict  the  write
> privilege  to  add  or delete the specified <what>."
> (I am very puzzled. It strikes me that once I can write (add/delete) any
> entry in a subtree I effectively manage it.)

According to slapd.access(5), the "manage" privilege grants all usual
access privileges, plus administrative access.  See for example
<draft-zeilenga-ldap-relax> and many more, e.g. writing (certain)
operational attributes and so.