Bug ID: 9204
Summary: slapo-constraint allows anyone to apply Relax control
Target Milestone: ---
slapo-constraint doesn't limit who can use the Relax control, beyond the global
limits applied by slapd. In practice, for many modifications this means any
configured constraints are advisory only.
In my opinion this should be considered a bug, in design if not implementation.
I expect many admins would not read the man page closely enough to realize the
behaviour does technically adhere to the letter of what's written there.
Either slapd should require manage privileges for the Relax control globally,
or slapo-constraint should perform a check for manage privilege itself, like
Quoting ando in https://bugs.openldap.org/show_bug.cgi?id=5705#c4
Well, a user with "manage" privileges on related data could
constraints enforced by slapo-constraint(5) by using the "relax"
control. The rationale is that a user with manage privileges could be
able to repair an entry that needs to violate a constraint for good
reasons. Note that the user:
- must have enough privileges to do it (manage)
- must inform the DSA that intends to violate the constraint (by using
but such privileges are currently not being required.
You are receiving this mail because:
You are on the CC list for the bug.