On 01/31/2014 06:44 PM, [email protected] wrote: > [email protected] wrote: >> On 01/31/2014 05:49 PM, [email protected] wrote: >>> What does administrative access mean? >> >> It allows write when write is granted and the "relax" control is >> present. In practice, those who have "manage" access can perform those >> normally "prohibited" operations described in draft-zeilenga-ldap-relax. > > I wish this explanation would catch all cases. > > I vaguely remember that before the birth of draft-zeilenga-ldap-relax some > (overlays?) misused the Manage DSA IT control for that purpose.
"manageDIT" was renamed to "relax" because it was too similar to "manageDSAit". Besides, although its use is intrinsically related to performing administrative operations, it is specifically meant to work around rules that make sense from a data model point of view but may need to be circumvented *during* "special" operations. A clear example is the one in the draft, about turning a "person" objectClass into an "account" objectClass. Changing the structuralObjectClass of an object is not allowed by the data model; however, an administrator (i.e. someone with "manage" privileges) can do it using the "relax" control, thus making the entry inconsistent during the operation but perfectly consistent before *and* after. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
