6670 – memberof overlay problem

Issue 6670 - memberof overlay problem

Summary: memberof overlay problem

Status:	RESOLVED PARTIAL

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-10-12 09:38 UTC by henjes@informatik.uni-wuerzburg.de
Modified:	2014-08-01 21:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description henjes@informatik.uni-wuerzburg.de 2010-10-12 09:38:07 UTC

Full_Name: Robert Henjes
Version: 2.4.23-4
OS: Debian Squeeze
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (132.187.12.89)


Hi,

while using memberof overlay I recognized the following problem in conjunction
with groupOfNames. If you try to add an empty group of names you have to set at
least one member attribute, since it is mandatory. One could have the idea to
point to the group dn itself. If having the memberof overlay active this leads
to a loop while executing an ldapadd. I assume this happens while the memberof
overlay is triggered. Tried to analyze the slapd debug output, but it stops,
after the addition is completed.

Example LDIF file:
dn: cn=stupid,ou=groups,dc=domain
objectClass: top
objectClass: groupOfNames
cn: stupid
member: cn=stupid,ou=groups,dc=domain

The slapd server seems proceed working, except the add process and the subtree
where the LDIF is gets added. You can not stop the slapd server in a normal way,
you just have to do a "kill -9". After that the LDIF file seems to be added, but
I assume, that the memberof overlay representation is inconsistent.

The memberof overlay should be aware of such situations, even if building loops
in dn references is in general not a good idea.

Best regards,
Robert

Comment 1 Howard Chu 2010-12-30 16:40:58 UTC

changed notes
changed state Open to Partial
moved from Incoming to Software Bugs

Comment 2 Howard Chu 2010-12-31 00:40:01 UTC

henjes@informatik.uni-wuerzburg.de wrote:
> Full_Name: Robert Henjes
> Version: 2.4.23-4
> OS: Debian Squeeze
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (132.187.12.89)
>
>
> Hi,
>
> while using memberof overlay I recognized the following problem in conjunction
> with groupOfNames. If you try to add an empty group of names you have to set at
> least one member attribute, since it is mandatory. One could have the idea to
> point to the group dn itself. If having the memberof overlay active this leads
> to a loop while executing an ldapadd. I assume this happens while the memberof
> overlay is triggered. Tried to analyze the slapd debug output, but it stops,
> after the addition is completed.
>
> Example LDIF file:
> dn: cn=stupid,ou=groups,dc=domain
> objectClass: top
> objectClass: groupOfNames
> cn: stupid
> member: cn=stupid,ou=groups,dc=domain
>
> The slapd server seems proceed working, except the add process and the subtree
> where the LDIF is gets added. You can not stop the slapd server in a normal way,
> you just have to do a "kill -9". After that the LDIF file seems to be added, but
> I assume, that the memberof overlay representation is inconsistent.
>
> The memberof overlay should be aware of such situations, even if building loops
> in dn references is in general not a good idea.

The memberof code in HEAD has been patched to ignore these cases. Possibly we 
can add additional code to insert the member/memberOf value as appropriate, 
but I haven't done so in this patch.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 3 Quanah Gibson-Mount 2011-01-04 11:55:14 UTC

changed notes

Comment 4 OpenLDAP project 2014-08-01 21:04:32 UTC

patched in HEAD
patched in RE24