[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6641) Syncrepl failure with 'overlay unique'
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6641) Syncrepl failure with 'overlay unique'
- From: hyc@symas.com
- Date: Fri, 21 Jan 2011 03:11:35 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
ondrej.kuznik@acision.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/09/2010 03:50 PM, ondrej.kuznik@acision.com wrote:
>> I have put a preliminary version of patches that modify the unique
>> overlay here
>> ftp://ftp.openldap.org/incoming/ondrej-kuznik-20101109-unique_bypass_v1.tgz
>>
>> They add a new configuration attribute olcUniqueAllowManageBypass (it is
>> prohibitively long for a name, though) that, if set to TRUE, triggers
>> the uniqueness checks not to be performed if the operation has manage
>> privilegies on the entry. There are three separate patches,
>> configuration code regarding the new attribute, the checks in
>> unique_{add,modify,modrdn} and manpage modifications.
>>
> After a conversation with Howard, I have modified the patches so that
> the overlay check for the ManageDsaIt control instead. That control
> should be set for each operation coming from replication. The patches
> are here:
> ftp://ftp.openldap.org/incoming/ondrej-kuznik-20101202-unique_bypass_v2.tgz
>
> Is there anything else that comes to mind?
I'm not sure it merits a config keyword. We already have instances where
administrators are implicitly allowed to bypass rules that restrict normal
users, and replication is obviously a system-level operation, not user level.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/