> On Dec 8, 2022, at 6:46 PM, Alex Samad - Yieldbroker > <[email protected]> wrote: > > Hi > > From the online doco re >> Level Privileges Description >> none = 0 no access >> disclose = d needed for information disclosure on error >> auth = dx needed to authenticate (bind) >> compare = cdx needed to compare >> search = scdx needed to apply search filters >> read = rscdx needed to read search results >> write = wrscdx needed to modify/rename >> manage = mwrscdx needed to manage > > I couldn't find out what the difference between manage and write is what > does the M allow for. > > olcAccess: to dn.subtree="ou=Users," > by dn.exact="cn=directory,ou=Roles," manage by * break > > > so for the subtree ou=User > > I want to allow cn=directory to add / modify / delete any children of > ou=Users. Reading the doco its seems like I only need to give it write > access, what can I do extra with manage ?
Hello Alex, ``` man slapd.access ... THE <ACCESS> FIELD … thus manage grants all access including administrative access. This access allows some modifications which would otherwise be prohibited by the LDAP data model or the directory schema, e.g. changing the structural objectclass of an entry, or modifying an operational attribute that is defined as not user modifiable. The write access is actually the combination of add and delete, which respectively restrict the write privilege to add or delete the specified <what>. ``` Write access should suffice. You probably won’t need to grant service accounts manage access. You can always add it later if need be. > > Also for userPassword attr to write to it do I need to have the read or can > I just have =wd > ``` man (cont) The level access model relies on an incremental interpretation of the access privileges. The possible levels are none, disclose, auth, compare, search, read, write, and manage. Each access level implies all the preceding ones ``` Cheers — Shawn > Thanks > Alex
