X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Foverlays%2Funique.c;h=cd9eb2e0e19cfda79cd53f434b791b7a9d921722;hb=9b5972dc9e14e1f7a7bef755bfd0dc61bcf1ffb3;hp=218771f118b0fcfb69e70112e30a130aaa130fb9;hpb=93177bb6f34304e522ecc6aa8e91fd300279f7e6;p=openldap

diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
index 218771f118..cd9eb2e0e1 100644
--- a/servers/slapd/overlays/unique.c
+++ b/servers/slapd/overlays/unique.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2014 The OpenLDAP Foundation.
+ * Copyright 2004-2016 The OpenLDAP Foundation.
  * Portions Copyright 2004,2006-2007 Symas Corporation.
  * All rights reserved.
  *
@@ -1040,7 +1040,10 @@ unique_add(
 
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	     && access_allowed ( op, op->ora_e,
+				 slap_schema.si_ad_entry, NULL,
+				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_add: administrative bypass, skipping\n", 0, 0, 0);
 		return rc;
 	}
@@ -1159,6 +1162,7 @@ unique_modify(
 	unique_domain *domain;
 	Operation nop = *op;
 	Modifications *m;
+	Entry *e = NULL;
 	char *key, *kp;
 	struct berval bvkey;
 	int rc = SLAP_CB_CONTINUE;
@@ -1168,10 +1172,19 @@ unique_modify(
 
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	     && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+	     && e
+	     && access_allowed ( op, e,
+				 slap_schema.si_ad_entry, NULL,
+				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_modify: administrative bypass, skipping\n", 0, 0, 0);
+		overlay_entry_release_ov( op, e, 0, on );
 		return rc;
 	}
+	if ( e ) {
+		overlay_entry_release_ov( op, e, 0, on );
+	}
 
 	for ( domain = legacy ? legacy : domains;
 	      domain;
@@ -1278,6 +1291,7 @@ unique_modrdn(
 	unique_domain *legacy = private->legacy;
 	unique_domain *domain;
 	Operation nop = *op;
+	Entry *e = NULL;
 	char *key, *kp;
 	struct berval bvkey;
 	LDAPRDN	newrdn;
@@ -1289,10 +1303,19 @@ unique_modrdn(
 
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	     && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+	     && e
+	     && access_allowed ( op, e,
+				 slap_schema.si_ad_entry, NULL,
+				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_modrdn: administrative bypass, skipping\n", 0, 0, 0);
+		overlay_entry_release_ov( op, e, 0, on );
 		return rc;
 	}
+	if ( e ) {
+		overlay_entry_release_ov( op, e, 0, on );
+	}
 
 	for ( domain = legacy ? legacy : domains;
 	      domain;