> What access privileges over a particular suffix are granted to somebody > with the "manage" level that somebody with the "write" level does not get? > > > > As background, using 2.4.26: > > This document specifies that somebody with the level "manage" gets > everything else: > > http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20grant > > On the other hand, slapd.access(5) specifies that "manage grants all > access including administrative access. The write access is actually the > combination of add and delete, which respectively restrict the write > privilege to add or delete the specified <what>." > > (I am very puzzled. It strikes me that once I can write (add/delete) any > entry in a subtree I effectively manage it.)
According to slapd.access(5), the "manage" privilege grants all usual access privileges, plus administrative access. See for example <draft-zeilenga-ldap-relax> and many more, e.g. writing (certain) operational attributes and so. p.
