On Thu, Mar 30, 2017 at 05:13:47PM +0200, Michael Ströder wrote:
ondra@mistotebe.net wrote:
Given that relax control is still allowed for everyone (and no ACL support for controls exists yet), this patch will buy us little.
Please correct if I'm wrong but AFAIK you need 'manage' privilege to circumvent constraints (e.g. slapo-constraint and slapo-ppolicy).
You don't need to be granted ACL_MANAGE to bypass slapo-constraint. Just your providing -e '!relax' will do. Just that some features and operations (add/rename) are protected by an additional ACL_MANAGE check if you run with the relax control so they will fail unless you have that privilege.
I guess there is some room in the interpretation of what draft-zeilenga-ldap-relax-01 says: "[it is] expected that use of this extension will be restricted by administrative and/or access controls"
One options is that if you specify the control, especially since you have to make it critical, you should qualify for administrative permissions on that operation or have it fail regardless of whether it would ordinarily succeed. If OpenLDAP backends adhered to that reading, constraint would do the right thing now and unique would as well with the patches I provided.
The other reading is "using relax might let you do more, but you still need the right permissions", which is closer to how manageDSAIt works and it seems that's what OpenLDAP (but not slapo-constraint) does. The hassle is that you need to check permissions if you want to follow that and that's hard to do correctly if you're an overlay.