https://bugs.openldap.org/show_bug.cgi?id=8245

--- Comment #13 from Ryan Tandy ryan@openldap.org --- (In reply to Michael Ströder from comment #6)

Please correct if I'm wrong but AFAIK you need 'manage' privilege to circumvent constraints (e.g. slapo-constraint and slapo-ppolicy).

That doesn't appear to be the case. A user with only 'write' privilege can actually use Relax to modify attributes freely, bypassing slapo-constraint.

Personally I find this behaviour quite surprising. I would have expected both overlays to behave like slapo-unique does (Relax honoured only with manage access). As an administrator, configuring an overlay such as slapo-constraint seems fairly pointless if users can simply ignore it any time they choose.

I don't understand the global Relax handling for Add/Rename, but not Modify, either. If I understand the two options Ondřej described, either we should require manage access _always_ in the presence of Relax, or only if the request actually needs some rules to be relaxed. But AFAICT neither of those is (consistently) the case right now...

(I guess this gets rather off-topic for this ticket, sorry!)