ondra@mistotebe.net wrote:

The other reading is "using relax might let you do more, but you still need the right permissions", which is closer to how manageDSAIt works and it seems that's what OpenLDAP (but not slapo-constraint) does. The hassle is that you need to check permissions if you want to follow that and that's hard to do correctly if you're an overlay.

AFAIK using Relax Rules control makes slapd finish a write operation in case a constraintViolation would be returned without this control provided the bound identity has manage privilege (and of course does not hit insufficientAccess before because of missing write privilege).

IMO slapo-unique should do the very same.

If the behaviour is unclear I'd hack a test configuration.

Ciao, Michael.