[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6641) Syncrepl failure with 'overlay unique'

ondrej.kuznik@acision.com wrote:
> Hash: SHA1
> On 11/09/2010 03:50 PM, ondrej.kuznik@acision.com wrote:
>> I have put a preliminary version of patches that modify the unique
>> overlay here
>> ftp://ftp.openldap.org/incoming/ondrej-kuznik-20101109-unique_bypass_v1.tgz
>> They add a new configuration attribute olcUniqueAllowManageBypass (it is
>> prohibitively long for a name, though) that, if set to TRUE, triggers
>> the uniqueness checks not to be performed if the operation has manage
>> privilegies on the entry. There are three separate patches,
>> configuration code regarding the new attribute, the checks in
>> unique_{add,modify,modrdn} and manpage modifications.
> After a conversation with Howard, I have modified the patches so that
> the overlay check for the ManageDsaIt control instead. That control
> should be set for each operation coming from replication. The patches
> are here:
> ftp://ftp.openldap.org/incoming/ondrej-kuznik-20101202-unique_bypass_v2.tgz
> Is there anything else that comes to mind?

I'm not sure it merits a config keyword. We already have instances where 
administrators are implicitly allowed to bypass rules that restrict normal 
users, and replication is obviously a system-level operation, not user level.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/