mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-31 12:09:35 -05:00
ITS#8245 Use Relax control to avoid uniqueness checks
Still needs to retrieve the entry for ACL resolution until we can restrict controls with ACLs.
This commit is contained in:
Ondřej Kuzník
Quanah Gibson-Mount
parent
4358ab5d73
commit
6d6a330057
3 changed files with 65 additions and 23 deletions
|
|
@ -161,8 +161,8 @@ Typical attributes for the
|
|||
URIs are intentionally not hardcoded into the overlay to allow for
|
||||
maximum flexibility in meeting site-specific requirements.
|
||||
.LP
|
||||
Replication and operations with
|
||||
.B manageDsaIt
|
||||
Replication and operations with the
|
||||
.B relax
|
||||
control are allowed to bypass this enforcement. It is therefore important that
|
||||
all servers accepting writes have this overlay configured in order to maintain
|
||||
uniqueness in a replicated DIT.
|
||||
|
|
|
|||
|
|
@ -1045,13 +1045,11 @@ unique_add(
|
|||
Debug(LDAP_DEBUG_TRACE, "==> unique_add <%s>\n",
|
||||
op->o_req_dn.bv_val );
|
||||
|
||||
/* skip the checks if the operation has manageDsaIt control in it
|
||||
* (for replication) */
|
||||
if ( op->o_managedsait > SLAP_CONTROL_IGNORED
|
||||
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ||
|
||||
get_relax(op) > SLAP_CONTROL_IGNORED
|
||||
&& access_allowed ( op, op->ora_e,
|
||||
slap_schema.si_ad_entry, NULL,
|
||||
ACL_MANAGE, NULL ) ) {
|
||||
Debug(LDAP_DEBUG_TRACE, "unique_add: administrative bypass, skipping\n" );
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
|
@ -1182,15 +1180,13 @@ unique_modify(
|
|||
return rc;
|
||||
}
|
||||
|
||||
/* skip the checks if the operation has manageDsaIt control in it
|
||||
* (for replication) */
|
||||
if ( op->o_managedsait > SLAP_CONTROL_IGNORED
|
||||
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ||
|
||||
get_relax(op) > SLAP_CONTROL_IGNORED
|
||||
&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
|
||||
&& e
|
||||
&& access_allowed ( op, e,
|
||||
slap_schema.si_ad_entry, NULL,
|
||||
ACL_MANAGE, NULL ) ) {
|
||||
Debug(LDAP_DEBUG_TRACE, "unique_modify: administrative bypass, skipping\n" );
|
||||
overlay_entry_release_ov( op, e, 0, on );
|
||||
return rc;
|
||||
}
|
||||
|
|
@ -1305,15 +1301,13 @@ unique_modrdn(
|
|||
Debug(LDAP_DEBUG_TRACE, "==> unique_modrdn <%s> <%s>\n",
|
||||
op->o_req_dn.bv_val, op->orr_newrdn.bv_val );
|
||||
|
||||
/* skip the checks if the operation has manageDsaIt control in it
|
||||
* (for replication) */
|
||||
if ( op->o_managedsait > SLAP_CONTROL_IGNORED
|
||||
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ||
|
||||
get_relax(op) > SLAP_CONTROL_IGNORED
|
||||
&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
|
||||
&& e
|
||||
&& access_allowed ( op, e,
|
||||
slap_schema.si_ad_entry, NULL,
|
||||
ACL_MANAGE, NULL ) ) {
|
||||
Debug(LDAP_DEBUG_TRACE, "unique_modrdn: administrative bypass, skipping\n" );
|
||||
overlay_entry_release_ov( op, e, 0, on );
|
||||
return rc;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ if test $UNIQUE = uniqueno; then
|
|||
fi
|
||||
|
||||
RCODEconstraint=19
|
||||
RCODEnorelax=50
|
||||
test $BACKEND = null && RCODEconstraint=0
|
||||
|
||||
mkdir -p $TESTDIR $DBDIR1
|
||||
|
|
@ -118,8 +119,31 @@ if test $RC != $RCODEconstraint ; then
|
|||
exit -1
|
||||
fi
|
||||
|
||||
# ITS#6641/8057
|
||||
# ITS#6641/8057/8245
|
||||
echo "Trying to bypass uniqueness as a normal user..."
|
||||
$LDAPADD -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$TESTOUT 2>&1 << EOTUNIQ2
|
||||
dn: uid=bill,ou=users,o=unique
|
||||
objectClass: inetOrgPerson
|
||||
uid: bill
|
||||
sn: johnson
|
||||
cn: bill
|
||||
businessCategory: rtest
|
||||
carLicense: ABC123
|
||||
departmentNumber: 42
|
||||
displayName: Bill
|
||||
employeeNumber: 5150
|
||||
employeeType: contractor
|
||||
givenName: Bill
|
||||
EOTUNIQ2
|
||||
RC=$?
|
||||
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
|
||||
echo "unique check failed ($RC)!"
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit -1
|
||||
fi
|
||||
|
||||
echo "Trying to bypass uniqueness as a normal user with ManageDSAIt..."
|
||||
$LDAPADD -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$TESTOUT 2>&1 << EOTUNIQ2
|
||||
dn: uid=bill,ou=users,o=unique
|
||||
|
|
@ -142,9 +166,8 @@ if test $RC != $RCODEconstraint ; then
|
|||
exit -1
|
||||
fi
|
||||
|
||||
# ITS#6641/8057
|
||||
echo "Bypassing uniqueness as an admin user..."
|
||||
$LDAPADD -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$LDAPADD -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$TESTOUT 2>&1 << EOTUNIQ2
|
||||
dn: uid=bill,ou=users,o=unique
|
||||
objectClass: inetOrgPerson
|
||||
|
|
@ -586,8 +609,24 @@ if test $RC != $RCODEconstraint ; then
|
|||
exit -1
|
||||
fi
|
||||
|
||||
# ITS#6641/8057
|
||||
# ITS#6641/8057/8245
|
||||
echo "Trying to bypass uniqueness as a normal user..."
|
||||
$LDAPMODIFY -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$TESTOUT 2>&1 << EOF
|
||||
dn: uid=empty,ou=users,o=unique
|
||||
changetype: modify
|
||||
replace: sn
|
||||
sn: johnson
|
||||
EOF
|
||||
|
||||
RC=$?
|
||||
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
|
||||
echo "unique check failed ($RC)!"
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit -1
|
||||
fi
|
||||
|
||||
echo "Trying to bypass uniqueness as a normal user with ManageDSAIt..."
|
||||
$LDAPMODIFY -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$TESTOUT 2>&1 << EOF
|
||||
dn: uid=empty,ou=users,o=unique
|
||||
|
|
@ -603,9 +642,8 @@ if test $RC != $RCODEconstraint ; then
|
|||
exit -1
|
||||
fi
|
||||
|
||||
# ITS#6641/8057
|
||||
echo "Bypassing uniqueness as an admin user..."
|
||||
$LDAPMODIFY -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$LDAPMODIFY -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
||||
$TESTOUT 2>&1 << EOF
|
||||
dn: uid=empty,ou=users,o=unique
|
||||
changetype: modify
|
||||
|
|
@ -664,8 +702,19 @@ if test $RC != $RCODEconstraint ; then
|
|||
exit -1
|
||||
fi
|
||||
|
||||
# ITS#6641/8057
|
||||
# ITS#6641/8057/8245
|
||||
echo "Trying to bypass uniqueness as a normal user..."
|
||||
$LDAPMODRDN -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
||||
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
|
||||
|
||||
RC=$?
|
||||
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
|
||||
echo "unique check failed ($RC)!"
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit -1
|
||||
fi
|
||||
|
||||
echo "Trying to bypass uniqueness as a normal user with a ManageDSAIt control..."
|
||||
$LDAPMODRDN -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
||||
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
|
||||
|
||||
|
|
@ -676,9 +725,8 @@ if test $RC != $RCODEconstraint ; then
|
|||
exit -1
|
||||
fi
|
||||
|
||||
# ITS#6641/8057
|
||||
echo "Bypassing uniqueness as an admin user..."
|
||||
$LDAPMODRDN -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
||||
$LDAPMODRDN -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
||||
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
|
||||
|
||||
RC=$?
|
||||
|
|
|
|||
Loading…
Reference in a new issue