[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?

ondra@mistotebe.net wrote:
> The other reading is "using relax might let you do more, but you still
> need the right permissions", which is closer to how manageDSAIt works
> and it seems that's what OpenLDAP (but not slapo-constraint) does. The
> hassle is that you need to check permissions if you want to follow that
> and that's hard to do correctly if you're an overlay.

AFAIK using Relax Rules control makes slapd finish a write operation in case a
constraintViolation would be returned without this control provided the bound identity
has manage privilege (and of course does not hit insufficientAccess before because of
missing write privilege).

IMO slapo-unique should do the very same.

If the behaviour is unclear I'd hack a test configuration.

Ciao, Michael.