Happy New Year!

[openldap] / servers / slapd / overlays / unique.c

diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
index 218771f118b0fcfb69e70112e30a130aaa130fb9..cd9eb2e0e19cfda79cd53f434b791b7a9d921722 100644 (file)
--- a/servers/slapd/overlays/unique.c
+++ b/servers/slapd/overlays/unique.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2014 The OpenLDAP Foundation.
+ * Copyright 2004-2016 The OpenLDAP Foundation.
  * Portions Copyright 2004,2006-2007 Symas Corporation.
  * All rights reserved.
  *
@@ -1040,7 +1040,10 @@ unique_add(
 
        /* skip the checks if the operation has manageDsaIt control in it
         * (for replication) */
-       if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+       if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+            && access_allowed ( op, op->ora_e,
+                                slap_schema.si_ad_entry, NULL,
+                                ACL_MANAGE, NULL ) ) {
                Debug(LDAP_DEBUG_TRACE, "unique_add: administrative bypass, skipping\n", 0, 0, 0);
                return rc;
        }
@@ -1159,6 +1162,7 @@ unique_modify(
        unique_domain *domain;
        Operation nop = *op;
        Modifications *m;
+       Entry *e = NULL;
        char *key, *kp;
        struct berval bvkey;
        int rc = SLAP_CB_CONTINUE;
@@ -1168,10 +1172,19 @@ unique_modify(
 
        /* skip the checks if the operation has manageDsaIt control in it
         * (for replication) */
-       if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+       if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+            && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+            && e
+            && access_allowed ( op, e,
+                                slap_schema.si_ad_entry, NULL,
+                                ACL_MANAGE, NULL ) ) {
                Debug(LDAP_DEBUG_TRACE, "unique_modify: administrative bypass, skipping\n", 0, 0, 0);
+               overlay_entry_release_ov( op, e, 0, on );
                return rc;
        }
+       if ( e ) {
+               overlay_entry_release_ov( op, e, 0, on );
+       }
 
        for ( domain = legacy ? legacy : domains;
              domain;
@@ -1278,6 +1291,7 @@ unique_modrdn(
        unique_domain *legacy = private->legacy;
        unique_domain *domain;
        Operation nop = *op;
+       Entry *e = NULL;
        char *key, *kp;
        struct berval bvkey;
        LDAPRDN newrdn;
@@ -1289,10 +1303,19 @@ unique_modrdn(
 
        /* skip the checks if the operation has manageDsaIt control in it
         * (for replication) */
-       if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+       if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+            && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+            && e
+            && access_allowed ( op, e,
+                                slap_schema.si_ad_entry, NULL,
+                                ACL_MANAGE, NULL ) ) {
                Debug(LDAP_DEBUG_TRACE, "unique_modrdn: administrative bypass, skipping\n", 0, 0, 0);
+               overlay_entry_release_ov( op, e, 0, on );
                return rc;
        }
+       if ( e ) {
+               overlay_entry_release_ov( op, e, 0, on );
+       }
 
        for ( domain = legacy ? legacy : domains;
              domain;