ondrej.kuznik@acision.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/09/2010 03:50 PM, ondrej.kuznik@acision.com wrote:
I have put a preliminary version of patches that modify the unique overlay here ftp://ftp.openldap.org/incoming/ondrej-kuznik-20101109-unique_bypass_v1.tgz
They add a new configuration attribute olcUniqueAllowManageBypass (it is prohibitively long for a name, though) that, if set to TRUE, triggers the uniqueness checks not to be performed if the operation has manage privilegies on the entry. There are three separate patches, configuration code regarding the new attribute, the checks in unique_{add,modify,modrdn} and manpage modifications.
After a conversation with Howard, I have modified the patches so that the overlay check for the ManageDsaIt control instead. That control should be set for each operation coming from replication. The patches are here: ftp://ftp.openldap.org/incoming/ondrej-kuznik-20101202-unique_bypass_v2.tgz
Is there anything else that comes to mind?
I'm not sure it merits a config keyword. We already have instances where administrators are implicitly allowed to bypass rules that restrict normal users, and replication is obviously a system-level operation, not user level.