[Date Prev][Date Next]
Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
- From: firstname.lastname@example.org
- Date: Thu, 30 Mar 2017 19:42:15 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> The other reading is "using relax might let you do more, but you still
> need the right permissions", which is closer to how manageDSAIt works
> and it seems that's what OpenLDAP (but not slapo-constraint) does. The
> hassle is that you need to check permissions if you want to follow that
> and that's hard to do correctly if you're an overlay.
AFAIK using Relax Rules control makes slapd finish a write operation in case a
constraintViolation would be returned without this control provided the bound identity
has manage privilege (and of course does not hit insufficientAccess before because of
missing write privilege).
IMO slapo-unique should do the very same.
If the behaviour is unclear I'd hack a test configuration.