[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5903) memberof stacked instance member-attr delete failure

To: openldap-its@OpenLDAP.org
Subject: (ITS#5903) memberof stacked instance member-attr delete failure
From: mbackes@symas.com
Date: Sat, 24 Jan 2009 09:57:00 GMT

Full_Name: Matthew Backes
Version: 2.4, head
OS: any
URL: 
Submission from: (NULL) (76.88.99.93)


If slapo-memberof is instanced more than once, deleting the
member-attr values from a group or deleting the group object will not
remove the memberof-attr values from the members.

Adds are not affected.

Internally, the operation fails because it tries using the
memberof-attribute name from the last memberof instance in the stack.

For example, given two member/group oc/attr sets in a schema:

objectIdentifier symasExample 1.3.6.1.4.1.4754.31
objectIdentifier symasExAT symasExample:1
objectIdentifier symasExOC symasExample:2

attributetype ( symasExAT:1 NAME 'memberA' SUP distinguishedName )
attributetype ( symasExAT:2 NAME 'memberOfA' SUP distinguishedName )
attributetype ( symasExAT:3 NAME 'memberB' SUP distinguishedName )
attributetype ( symasExAT:4 NAME 'memberOfB' SUP distinguishedName )

objectclass ( symasExOC:1 NAME 'groupA'
	SUP top	STRUCTURAL MUST cn MAY memberA )
objectclass ( symasExOC:2 NAME 'groupMemberA'
	SUP top AUXILIARY MAY memberOfA )
objectclass ( symasExOC:3 NAME 'groupB'
	SUP top	STRUCTURAL MUST cn MAY memberB )
objectclass ( symasExOC:4 NAME 'groupMemberB'
	SUP top AUXILIARY MAY memberOfB )

If we add two overlay instances:

overlay memberof
memberof-group-oc groupA
memberof-member-ad memberA
memberof-memberof-ad memberOfA
memberof-dn cn=memberOfA

overlay memberof
memberof-group-oc groupB
memberof-member-ad memberB
memberof-memberof-ad memberOfB
memberof-dn cn=memberOfB

And start with the data, involving the ocs/attrs from the first
instance:

dn: cn=person1,o=example
objectclass: person
objectclass: groupMemberA
cn: person1
sn: person1
memberOfA: cn=groupA,o=example

dn: cn=groupA,o=example
objectclass: groupA
cn: groupA
memberA: cn=person1,o=example

And issue a delete:

dn: cn=groupA,o=example
changetype: delete

Internally we see:

bdb_modify_internal: delete memberOfB
bdb_modify_internal: 16 modify/delete: memberOfB: no such attribute
hdb_modify: modify failed (16)
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=16 matched="" text="modify/delete: memberOfB: no
    such attribute"
slap_graduate_commit_csn: removing 0x10066cdc0
    20090124095138.577730Z#000000#000#000000
conn=0 op=1: memberof_value_modify memberOfB="cn=groupA,o=example"
    failed err=16 text=
send_ldap_response: msgid=2 tag=107 err=0

And cn=person1 has not been cleaned up:

dn: cn=person1,o=example
objectClass: person
objectClass: groupMemberA
cn: person1
sn: person1
memberOfA: cn=groupA,o=example
modifiersName: o=example

--
Matthew Backes
Symas Corporation
mbackes@symas.com

Prev by Date: Re: (ITS#5896) search error on ldap_search_ext_s
Next by Date: Re: (ITS#5884) disclose ACL not safe on non-leaf objects
Index(es):
- Chronological
- Thread