Full_Name: Quanah Gibson-Mount Version: HEAD OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) In a situation where a dynamic group has been created and a compare operation is run with a DN that doesn't exist but is within the scope of the dynamic group URI, the ldapcompare operation will incorrectly return an error 80 instead of error 5 (compare FALSE). For example, if I have: dn: cn=planning,ou=Groups,dc=example,dc=com objectClass: groupOfURLs cn: planning memberURL: ldap:///ou=planning,dc=example,dc=com??sub?(objectClass=inetorgpers on) and I do an ldapcompare with: ldapcompare -x -H ldap://anvil2.rb.symas.net -D dc=example,dc=com -w secret cn=planning,ou=Groups,dc=example,dc=com "member:cn=Ramakant Wolow,ou=Planning,dc=example,dc=com" (i.e., this entry doesn't exist in the DB), I get: Compare Result: Other (e.g., implementation specific) error (80) UNDEFINED This appears to be due to the fact that in this scenario, slapd attempts to find the DN in the underlying DB and it doesn't exist, so an err=32 is returned back. This is incorrectly interpreted as an unknown error, thus the err=80 result. Instead it should be treated as "not a member of the group".
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
fixed in master fixed in RE24 (2.4.47)
changed notes changed state Release to Closed
On Wed, Oct 03, 2018 at 08:25:44PM +0000, quanah@openldap.org wrote: > In a situation where a dynamic group has been created and a compare operation is > run with a DN that doesn't exist but is within the scope of the dynamic group > URI, the ldapcompare operation will incorrectly return an error 80 instead of > error 5 (compare FALSE). > > For example, if I have: > > dn: cn=planning,ou=Groups,dc=example,dc=com > objectClass: groupOfURLs > cn: planning > memberURL: ldap:///ou=planning,dc=example,dc=com??sub?(objectClass=inetorgpers > on) > > and I do an ldapcompare with: > > ldapcompare -x -H ldap://anvil2.rb.symas.net -D dc=example,dc=com -w secret > cn=planning,ou=Groups,dc=example,dc=com "member:cn=Ramakant > Wolow,ou=Planning,dc=example,dc=com" > > (i.e., this entry doesn't exist in the DB), I get: > > Compare Result: Other (e.g., implementation specific) error (80) > UNDEFINED > > This appears to be due to the fact that in this scenario, slapd attempts to find > the DN in the underlying DB and it doesn't exist, so an err=32 is returned back. > This is incorrectly interpreted as an unknown error, thus the err=80 result. > Instead it should be treated as "not a member of the group". I thought that exact scenario was being tested here? And that one passes. https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=tests/scripts/test044-dynlist;h=86885cd1150f765d4e42695947fcb6f63965a073;hb=refs/heads/master#l471 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP