ITS#8057 Enforce uniqueness unless permitted by ACL

diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
index 5f28c1d37cfa970ce60b5d98fb72871935d642e5..53158461bce5754715ba7354902ea024ad47bbe3 100644 (file)
--- a/servers/slapd/overlays/unique.c
+++ b/servers/slapd/overlays/unique.c
@@ -1040,7 +1040,10 @@ unique_add(
 
        /* skip the checks if the operation has manageDsaIt control in it
         * (for replication) */
-       if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+       if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+            && access_allowed ( op, op->ora_e,
+                                slap_schema.si_ad_entry, NULL,
+                                ACL_MANAGE, NULL ) ) {
                Debug(LDAP_DEBUG_TRACE, "unique_add: administrative bypass, skipping\n", 0, 0, 0);
                return rc;
        }
@@ -1168,7 +1171,10 @@ unique_modify(
 
        /* skip the checks if the operation has manageDsaIt control in it
         * (for replication) */
-       if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+       if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+            && access_allowed ( op, op->ora_e,
+                                slap_schema.si_ad_entry, NULL,
+                                ACL_MANAGE, NULL ) ) {
                Debug(LDAP_DEBUG_TRACE, "unique_modify: administrative bypass, skipping\n", 0, 0, 0);
                return rc;
        }
@@ -1289,7 +1295,10 @@ unique_modrdn(
 
        /* skip the checks if the operation has manageDsaIt control in it
         * (for replication) */
-       if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) {
+       if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+            && access_allowed ( op, op->ora_e,
+                                slap_schema.si_ad_entry, NULL,
+                                ACL_MANAGE, NULL ) ) {
                Debug(LDAP_DEBUG_TRACE, "unique_modrdn: administrative bypass, skipping\n", 0, 0, 0);
                return rc;
        }