[Bug 9211] New: Relax control is not consistently access-restricted

List overview All Threads
Download

newer

older

[Issue 10268] New: Operation rate...

[Issue 9920] New: MDB_PAGE_FULL...

openldap-its＠openldap.org

12 Apr 2020 12 Apr '20

10:59 a.m.

https://bugs.openldap.org/show_bug.cgi?id=9211

Bug ID: 9211 Summary: Relax control is not consistently access-restricted Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: ryan@openldap.org Target Milestone: ---

The following operations can be performed by anyone having 'write' access (not even 'manage') using the Relax control:

- modifying/replacing structural objectClass - adding/modifying OBSOLETE attributes

Some operations are correctly restricted: - adding/modifying NO-USER-MODIFICATION attributes marked as manageable

(Modification of non-conformant objects doesn't appear to be implemented at all.)

In the absence of ACLs for controls, I'm of the opinion that all use of the Relax control should require manage access. The Relax draft clearly and repeatedly discusses its use cases in terms of directory _administrators_ temporarily relaxing constraints in order to accomplish a specific task.

-- You are receiving this mail because: You are on the CC list for the bug.

Show replies by date

openldap-its＠openldap.org

12 Apr 12 Apr

11:18 a.m.

New subject: [Bug 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Ryan Tandy ryan@openldap.org changed:

-- You are receiving this mail because: You are on the CC list for the bug.

openldap-its＠openldap.org

13 Apr 13 Apr

12:08 p.m.

New subject: [Bug 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

Referenced Bugs:

https://bugs.openldap.org/show_bug.cgi?id=9204 [Bug 9204] slapo-constraint allows anyone to apply Relax control

-- You are receiving this mail because: You are on the CC list for the bug.

openldap-its＠openldap.org

17 Apr 17 Apr

10:01 a.m.

New subject: [Bug 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Ryan Tandy ryan@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ryan@openldap.org

-- You are receiving this mail because: You are on the CC list for the bug.

openldap-its＠openldap.org

28 Jan 28 Jan

9:39 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.6.0

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

3 Jun 3 Jun

10 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

14 Jun 14 Jun

9:27 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Depends on| |6198

Referenced Issues:

https://bugs.openldap.org/show_bug.cgi?id=6198 [Issue 6198] Authorization for extensions

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

9:28 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

13 Jul 13 Jul

8:44 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Ryan Tandy ryan@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Assignee|ryan@openldap.org |bugs@openldap.org

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

9:16 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

9:18 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.0 |2.7.0

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

9:24 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

8 Oct 8 Oct

9:03 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Ondřej Kuzník ondra@mistotebe.net changed:

--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Once we have ACLs this becomes a choice for an admin to make.

*** This issue has been marked as a duplicate of issue 6198 ***

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

25 Oct 25 Oct

11:50 a.m.

New subject: [Issue 9211] Relax control is not consistently access-restricted

https://bugs.openldap.org/show_bug.cgi?id=9211

Quanah Gibson-Mount quanah@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED

-- You are receiving this mail because: You are on the CC list for the issue.

Age (days ago)

1684

Last active (days ago)

openldap-bugs@openldap.org

13 comments

1 participants

tags (0)

participants (1)

openldap-its＠openldap.org