Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?

[ondra@mistotebe.net]

On Thu, Mar 30, 2017 at 05:13:47PM +0200, Michael Ströder wrote:
> ondra@mistotebe.net wrote:
>> Given that relax control is still allowed for everyone (and no ACL
>> support for controls exists yet), this patch will buy us little.
> 
> Please correct if I'm wrong but AFAIK you need 'manage' privilege to circumvent
> constraints (e.g. slapo-constraint and slapo-ppolicy).

You don't need to be granted ACL_MANAGE to bypass slapo-constraint. Just
your providing -e '!relax' will do. Just that some features and
operations (add/rename) are protected by an additional ACL_MANAGE check
if you run with the relax control so they will fail unless you have that
privilege.

I guess there is some room in the interpretation of what
draft-zeilenga-ldap-relax-01 says: "[it is] expected that use of this
extension will be restricted by administrative and/or access controls"

One options is that if you specify the control, especially since you
have to make it critical, you should qualify for administrative
permissions on that operation or have it fail regardless of whether it
would ordinarily succeed. If OpenLDAP backends adhered to that reading,
constraint would do the right thing now and unique would as well with
the patches I provided.

The other reading is "using relax might let you do more, but you still
need the right permissions", which is closer to how manageDSAIt works
and it seems that's what OpenLDAP (but not slapo-constraint) does. The
hassle is that you need to check permissions if you want to follow that
and that's hard to do correctly if you're an overlay.

-- 
OndÅ?ej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP