ITS#9204 Gate relax on MANAGE access

2026-06-11 01:30:05 -04:00 · 2026-04-09 15:31:27 +01:00 · 2026-04-09 15:31:27 +01:00 · b954201691
commit b954201691
parent e16c279405
2 changed files with 32 additions and 7 deletions
--- a/doc/man/man5/slapo-constraint.5
+++ b/doc/man/man5/slapo-constraint.5
@ -21,9 +21,11 @@ It constrains only LDAP \fIadd\fP, \fImodify\fP and \fIrename\fP commands
 and only seeks to control the \fIadd\fP and \fIreplace\fP values
 of \fImodify\fP and \fIrename\fP requests.
 .LP
-No constraints are applied for operations performed with the
+Constraints can be lifted for operations where the
 .I relax
-control set.
+control is set and the user has
+.B manage
+privileges to the relevant attribute.
 .SH CONFIGURATION
 These
 .B slapd.conf
@ -115,7 +117,11 @@ to maintain backwards compatibility.
 Any attempt to add or modify an attribute named as part of the
 constraint overlay specification which does not fit the 
 constraint listed will fail with a
-LDAP_CONSTRAINT_VIOLATION error.
+LDAP_CONSTRAINT_VIOLATION error unless the
+.I relax
+control was set and the user has
+.B manage
+privilege on the attribute in question.
 .SH EXAMPLES
 .LP
 .RS
--- a/servers/slapd/overlays/constraint.c
+++ b/servers/slapd/overlays/constraint.c
@ -855,7 +855,7 @@ constraint_add( Operation *op, SlapReply *rs )
 	int rc = 0;
 	char *msg = NULL;

-	if ( get_relax(op) || be_shadow_update( op ) ) {
+	if ( be_shadow_update( op ) ) {
 		return SLAP_CB_CONTINUE;
 	}

@ -889,6 +889,13 @@ constraint_add( Operation *op, SlapReply *rs )
 				continue;
 			}

+			/* No need to check if user asked to Relax this op and has MANAGE
+			 * access to the attribute */
+			if ( get_relax(op) && access_allowed( op, op->ora_e, a->a_desc,
+						NULL, ACL_MANAGE, NULL ) ) {
+				continue;
+			}
+
 			Debug(LDAP_DEBUG_TRACE, 
 				"==> constraint_add, "
 				"a->a_numvals = %u, cp->count = %lu\n",
@ -936,7 +943,8 @@ add_violation:


 static int
-constraint_check_count_violation( Modifications *m, Entry *target_entry, constraint *cp )
+constraint_check_count_violation( Operation *op, Modifications *m, Entry
+		*target_entry, constraint *cp )
 {
 	BerVarray b = NULL;
 	unsigned ce = 0;
@ -990,6 +998,10 @@ constraint_check_count_violation( Modifications *m, Entry *target_entry, constra
 			}
 		}
 		if ( ce > cp->count ) {
+			if ( get_relax(op) && access_allowed( op, target_entry, cp->ap[j],
+						NULL, ACL_MANAGE, NULL ) ) {
+				continue;
+			}
 			return 1;
 		}
 	}
@ -1013,7 +1025,7 @@ constraint_update( Operation *op, SlapReply *rs )
 	char *msg = NULL;
 	int is_v;

-	if ( get_relax(op) || be_shadow_update( op ) ) {
+	if ( be_shadow_update( op ) ) {
 		return SLAP_CB_CONTINUE;
 	}

@ -1057,7 +1069,7 @@ constraint_update( Operation *op, SlapReply *rs )
 				continue;
 			}

-			is_v = constraint_check_count_violation(m, target_entry, cp);
+			is_v = constraint_check_count_violation(op, m, target_entry, cp);

 			Debug(LDAP_DEBUG_TRACE,
 				"==> constraint_update is_v: %d\n", is_v );
@ -1085,6 +1097,13 @@ constraint_update( Operation *op, SlapReply *rs )
 		if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
 			continue;

+		/* No need to check if user asked to Relax this op and has MANAGE
+		 * access to the attribute */
+		if ( get_relax(op) && access_allowed( op, target_entry, m->sml_desc,
+					NULL, ACL_MANAGE, NULL ) ) {
+			continue;
+		}
+
 		for(cp = c; cp; cp = cp->ap_next) {
 			int j;
 			for (j = 0; cp->ap[j]; j++) {