From 5e9d550c2e00a9e286f337acfc21bcb9de3fed50 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 10 Sep 2024 17:41:39 +0100
Subject: [PATCH] ITS#10256 cn=config: reject modify requests on
 cn=schema,cn=config

Add requests already handled it specially; corresponding treatment
for modify requests was missing. The docs have always stated that
cn=schema,cn=config is only for slapd's hardcoded schema so this
only affects users who don't read docs.
---
 servers/slapd/bconfig.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index ee8aea8725..be323511e2 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -6300,6 +6300,12 @@ config_back_modify( Operation *op, SlapReply *rs )
 		goto out;
 	}
 
+	/* global schema rejects all writes */
+	if ( ce->ce_type == Cft_Schema && ce->ce_parent->ce_type == Cft_Global ) {
+		rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+		goto out;
+	}
+
 	if ( !acl_check_modlist( op, ce->ce_entry, op->orm_modlist )) {
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		goto out;
-- 
2.47.3