From f2d332aa6b54e0fe50ff943d610e2e1ac1008b48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Sat, 14 Feb 2015 18:08:59 +0000
Subject: [PATCH] ITS#8057 Enforce uniqueness unless permitted by ACL

---
 servers/slapd/overlays/unique.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
index 5f28c1d37c..53158461bc 100644
--- a/servers/slapd/overlays/unique.c
+++ b/servers/slapd/overlays/unique.c
@@ -1040,7 +1040,10 @@ unique_add(
 
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	     && access_allowed ( op, op->ora_e,
+				 slap_schema.si_ad_entry, NULL,
+				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_add: administrative bypass, skipping\n", 0, 0, 0);
 		return rc;
 	}
@@ -1168,7 +1171,10 @@ unique_modify(
 
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	     && access_allowed ( op, op->ora_e,
+				 slap_schema.si_ad_entry, NULL,
+				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_modify: administrative bypass, skipping\n", 0, 0, 0);
 		return rc;
 	}
@@ -1289,7 +1295,10 @@ unique_modrdn(
 
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	     && access_allowed ( op, op->ora_e,
+				 slap_schema.si_ad_entry, NULL,
+				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_modrdn: administrative bypass, skipping\n", 0, 0, 0);
 		return rc;
 	}
-- 
GitLab