clarify how LDAP works correctly

cfaca097 · anarcat · efeb6df2 · cfaca097
Unverified Commit cfaca097 authored 4 years ago by anarcat
--- a/policy/tpa-rfc-7-root.md
+++ b/policy/tpa-rfc-7-root.md
@@ -24,7 +24,8 @@ There are multiple possible access levels, often conflated:
    runs as root everywhere
 4. LDAP admin: a user member of the `adm` group in LDAP also gets
    access everywhere through `sudo`, but also through being able to
-    impersonate or modify other users in LDAP
+    impersonate or modify other users in LDAP (although that requires
+    shell access to the LDAP server, which normally requires root)
 5. password manager access: a user's OpenPGP encryption key is added
    to the `tor-passwords.git` repository, which grants access to
    various administrative sites, root passwords and cryptographic