https://bugs.openldap.org/show_bug.cgi?id=9204
Bug ID: 9204 Summary: slapo-constraint allows anyone to apply Relax control Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: ryan@openldap.org Target Milestone: ---
slapo-constraint doesn't limit who can use the Relax control, beyond the global limits applied by slapd. In practice, for many modifications this means any configured constraints are advisory only.
In my opinion this should be considered a bug, in design if not implementation. I expect many admins would not read the man page closely enough to realize the behaviour does technically adhere to the letter of what's written there.
Either slapd should require manage privileges for the Relax control globally, or slapo-constraint should perform a check for manage privilege itself, like slapo-unique does.
Quoting ando in https://bugs.openldap.org/show_bug.cgi?id=5705#c4:
Well, a user with "manage" privileges on related data could bypass constraints enforced by slapo-constraint(5) by using the "relax" control. The rationale is that a user with manage privileges could be able to repair an entry that needs to violate a constraint for good reasons. Note that the user:
must have enough privileges to do it (manage)
must inform the DSA that intends to violate the constraint (by using
the control)
but such privileges are currently not being required.
https://bugs.openldap.org/show_bug.cgi?id=9204
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=8245
https://bugs.openldap.org/show_bug.cgi?id=9204
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=5705
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |OL_2_5_REQ Target Milestone|--- |2.5.0 Ever confirmed|0 |1 Status|UNCONFIRMED |CONFIRMED
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- Agreed, this seems like a serious oversight/bug that essentially violates the entire idea of having these types of constraints.
https://bugs.openldap.org/show_bug.cgi?id=9204
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9211
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on| |9211 See Also|https://bugs.openldap.org/s | |how_bug.cgi?id=9211 |
Referenced Bugs:
https://bugs.openldap.org/show_bug.cgi?id=9211 [Bug 9211] Relax control is not consistently access-restricted
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.0 |2.5.1
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.1 |2.6.0 Keywords|OL_2_5_REQ |
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=6198
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.0 |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9211
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on| |6198
Referenced Issues:
https://bugs.openldap.org/show_bug.cgi?id=6198 [Issue 6198] Authorization for extensions
https://bugs.openldap.org/show_bug.cgi?id=9204 Issue 9204 depends on issue 9211, which changed state.
Issue 9211 Summary: Relax control is not consistently access-restricted https://bugs.openldap.org/show_bug.cgi?id=9211
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |DUPLICATE
https://bugs.openldap.org/show_bug.cgi?id=9204
--- Comment #2 from Ondřej Kuzník ondra@mistotebe.net --- We could also check that the user has MANAGE access to each of the potentially constrained attributes and let them relax where they do.
https://bugs.openldap.org/show_bug.cgi?id=9204
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS Assignee|bugs@openldap.org |ondra@mistotebe.net
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- https://git.openldap.org/openldap/openldap/-/merge_requests/856
https://bugs.openldap.org/show_bug.cgi?id=9204
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|IN_PROGRESS |RESOLVED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- • b9542016 by Ondřej Kuzník at 2026-04-10T19:40:36+00:00 ITS#9204 Gate relax on MANAGE access
https://bugs.openldap.org/show_bug.cgi?id=9204 Issue 9204 depends on issue 6198, which changed state.
Issue 6198 Summary: Authorization for extensions https://bugs.openldap.org/show_bug.cgi?id=6198
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST
-
openldap-its@openldap.org