Commit 6d6a3300 authored by Ondřej Kuzník's avatar Ondřej Kuzník Committed by Quanah Gibson-Mount
Browse files

ITS#8245 Use Relax control to avoid uniqueness checks

Still needs to retrieve the entry for ACL resolution until we can
restrict controls with ACLs.
parent 4358ab5d
......@@ -161,8 +161,8 @@ Typical attributes for the
URIs are intentionally not hardcoded into the overlay to allow for
maximum flexibility in meeting site-specific requirements.
.LP
Replication and operations with
.B manageDsaIt
Replication and operations with the
.B relax
control are allowed to bypass this enforcement. It is therefore important that
all servers accepting writes have this overlay configured in order to maintain
uniqueness in a replicated DIT.
......
......@@ -1045,13 +1045,11 @@ unique_add(
Debug(LDAP_DEBUG_TRACE, "==> unique_add <%s>\n",
op->o_req_dn.bv_val );
/* skip the checks if the operation has manageDsaIt control in it
* (for replication) */
if ( op->o_managedsait > SLAP_CONTROL_IGNORED
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ||
get_relax(op) > SLAP_CONTROL_IGNORED
&& access_allowed ( op, op->ora_e,
slap_schema.si_ad_entry, NULL,
ACL_MANAGE, NULL ) ) {
Debug(LDAP_DEBUG_TRACE, "unique_add: administrative bypass, skipping\n" );
return rc;
}
......@@ -1182,15 +1180,13 @@ unique_modify(
return rc;
}
/* skip the checks if the operation has manageDsaIt control in it
* (for replication) */
if ( op->o_managedsait > SLAP_CONTROL_IGNORED
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ||
get_relax(op) > SLAP_CONTROL_IGNORED
&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
&& e
&& access_allowed ( op, e,
slap_schema.si_ad_entry, NULL,
ACL_MANAGE, NULL ) ) {
Debug(LDAP_DEBUG_TRACE, "unique_modify: administrative bypass, skipping\n" );
overlay_entry_release_ov( op, e, 0, on );
return rc;
}
......@@ -1305,15 +1301,13 @@ unique_modrdn(
Debug(LDAP_DEBUG_TRACE, "==> unique_modrdn <%s> <%s>\n",
op->o_req_dn.bv_val, op->orr_newrdn.bv_val );
/* skip the checks if the operation has manageDsaIt control in it
* (for replication) */
if ( op->o_managedsait > SLAP_CONTROL_IGNORED
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ||
get_relax(op) > SLAP_CONTROL_IGNORED
&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
&& e
&& access_allowed ( op, e,
slap_schema.si_ad_entry, NULL,
ACL_MANAGE, NULL ) ) {
Debug(LDAP_DEBUG_TRACE, "unique_modrdn: administrative bypass, skipping\n" );
overlay_entry_release_ov( op, e, 0, on );
return rc;
}
......
......@@ -22,6 +22,7 @@ if test $UNIQUE = uniqueno; then
fi
RCODEconstraint=19
RCODEnorelax=50
test $BACKEND = null && RCODEconstraint=0
mkdir -p $TESTDIR $DBDIR1
......@@ -118,8 +119,31 @@ if test $RC != $RCODEconstraint ; then
exit -1
fi
# ITS#6641/8057
# ITS#6641/8057/8245
echo "Trying to bypass uniqueness as a normal user..."
$LDAPADD -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$TESTOUT 2>&1 << EOTUNIQ2
dn: uid=bill,ou=users,o=unique
objectClass: inetOrgPerson
uid: bill
sn: johnson
cn: bill
businessCategory: rtest
carLicense: ABC123
departmentNumber: 42
displayName: Bill
employeeNumber: 5150
employeeType: contractor
givenName: Bill
EOTUNIQ2
RC=$?
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
echo "unique check failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit -1
fi
echo "Trying to bypass uniqueness as a normal user with ManageDSAIt..."
$LDAPADD -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$TESTOUT 2>&1 << EOTUNIQ2
dn: uid=bill,ou=users,o=unique
......@@ -142,9 +166,8 @@ if test $RC != $RCODEconstraint ; then
exit -1
fi
# ITS#6641/8057
echo "Bypassing uniqueness as an admin user..."
$LDAPADD -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$LDAPADD -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$TESTOUT 2>&1 << EOTUNIQ2
dn: uid=bill,ou=users,o=unique
objectClass: inetOrgPerson
......@@ -586,8 +609,24 @@ if test $RC != $RCODEconstraint ; then
exit -1
fi
# ITS#6641/8057
# ITS#6641/8057/8245
echo "Trying to bypass uniqueness as a normal user..."
$LDAPMODIFY -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$TESTOUT 2>&1 << EOF
dn: uid=empty,ou=users,o=unique
changetype: modify
replace: sn
sn: johnson
EOF
RC=$?
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
echo "unique check failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit -1
fi
echo "Trying to bypass uniqueness as a normal user with ManageDSAIt..."
$LDAPMODIFY -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$TESTOUT 2>&1 << EOF
dn: uid=empty,ou=users,o=unique
......@@ -603,9 +642,8 @@ if test $RC != $RCODEconstraint ; then
exit -1
fi
# ITS#6641/8057
echo "Bypassing uniqueness as an admin user..."
$LDAPMODIFY -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$LDAPMODIFY -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$TESTOUT 2>&1 << EOF
dn: uid=empty,ou=users,o=unique
changetype: modify
......@@ -664,8 +702,19 @@ if test $RC != $RCODEconstraint ; then
exit -1
fi
# ITS#6641/8057
# ITS#6641/8057/8245
echo "Trying to bypass uniqueness as a normal user..."
$LDAPMODRDN -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
RC=$?
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
echo "unique check failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit -1
fi
echo "Trying to bypass uniqueness as a normal user with a ManageDSAIt control..."
$LDAPMODRDN -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
......@@ -676,9 +725,8 @@ if test $RC != $RCODEconstraint ; then
exit -1
fi
# ITS#6641/8057
echo "Bypassing uniqueness as an admin user..."
$LDAPMODRDN -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
$LDAPMODRDN -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
RC=$?
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment