[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
From: michael@stroeder.com
Date: Thu, 30 Mar 2017 19:42:15 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

ondra@mistotebe.net wrote:
> The other reading is "using relax might let you do more, but you still
> need the right permissions", which is closer to how manageDSAIt works
> and it seems that's what OpenLDAP (but not slapo-constraint) does. The
> hassle is that you need to check permissions if you want to follow that
> and that's hard to do correctly if you're an overlay.

AFAIK using Relax Rules control makes slapd finish a write operation in case a
constraintViolation would be returned without this control provided the bound identity
has manage privilege (and of course does not hit insufficientAccess before because of
missing write privilege).

IMO slapo-unique should do the very same.

If the behaviour is unclear I'd hack a test configuration.

Ciao, Michael.

Prev by Date: Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
Next by Date: ITS#8626 published: SECURITY: TLS trace: SSL3 alert write:fatal:certificate unknown
Index(es):
- Chronological
- Thread