]> git.ipfire.org Git - thirdparty/openldap.git/commitdiff
projects / thirdparty / openldap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aa7b1a3)
ITS#10256 cn=config: reject modify requests on cn=schema,cn=config
authorHoward Chu <hyc@openldap.org>
Tue, 10 Sep 2024 16:41:39 +0000 (17:41 +0100)
committerHoward Chu <hyc@openldap.org>
Tue, 10 Sep 2024 16:41:39 +0000 (17:41 +0100)
Add requests already handled it specially; corresponding treatment
for modify requests was missing. The docs have always stated that
cn=schema,cn=config is only for slapd's hardcoded schema so this
only affects users who don't read docs.

servers/slapd/bconfig.c patch | blob | blame | history

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index ee8aea87253ff66f2be9fb522179531a158ea888..be323511e254a7355eee384a3050a5c0b38934db 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -6300,6 +6300,12 @@ config_back_modify( Operation *op, SlapReply *rs )
                goto out;
        }
 
+       /* global schema rejects all writes */
+       if ( ce->ce_type == Cft_Schema && ce->ce_parent->ce_type == Cft_Global ) {
+               rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+               goto out;
+       }
+
        if ( !acl_check_modlist( op, ce->ce_entry, op->orm_modlist )) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                goto out;
Mirror of https://git.openldap.org/openldap/openldap.git