Full_Name: Clement OUDOT Version: 2.4.47 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.250.130.213) We use a very standard configuration with memberof overlay. The issue is very easy to reproduce : * Create a group with a user in an OpenLDAP server using memberof overlay * The user should now have the group DN in memberOf attribute * Rename the group to change its case, for example uppercase the first letter * The group has be renamed but was removed form user memberOf attribute The OpenLDAP log is the following: 5c9ba447 conn=1000 op=23 MODRDN dn="cn=memberoftest,ou=groups,dc=example,dc=com" 5c9ba447 conn=1000 op=23: memberof_value_modify DN="uid=coudot,ou=users,dc=example,dc=com" add memberOf="cn=memberofTEST,ou=groups,dc=example,dc=com" failed err=20 Seems it is because memberof try to add the new value before deleting the old one. As the values are the same when ignoring the case, the modification is rejected. I would say that doing the LDAP_SLIST_REMOVE before the LDAP_SLIST_INSERT_HEAD in memberof.c should be enough but I don't know if this is safe.
On Wed, Mar 27, 2019 at 04:39:14PM +0000, clement.oudot@worteks.com wrote: > Seems it is because memberof try to add the new value before deleting the old > one. As the values are the same when ignoring the case, the modification is > rejected. > > I would say that doing the LDAP_SLIST_REMOVE before the LDAP_SLIST_INSERT_HEAD > in memberof.c should be enough but I don't know if this is safe. Alternatively checking that the new DN is not equivalent to the old and if so, noop it? That's just been uploaded to https://github.com/mistotebe/openldap/tree/its9000 Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Le 05/06/2019 à 15:30, ondra@mistotebe.net a écrit : > On Wed, Mar 27, 2019 at 04:39:14PM +0000, clement.oudot@worteks.com wrote: >> Seems it is because memberof try to add the new value before deleting the old >> one. As the values are the same when ignoring the case, the modification is >> rejected. >> >> I would say that doing the LDAP_SLIST_REMOVE before the LDAP_SLIST_INSERT_HEAD >> in memberof.c should be enough but I don't know if this is safe. > Alternatively checking that the new DN is not equivalent to the old and > if so, noop it? That's just been uploaded to > https://github.com/mistotebe/openldap/tree/its9000 Seems indeed a better solution! -- Clément Oudot | Identity Solutions Manager clement.oudot@worteks.com Worteks | https://www.worteks.com
changed notes
changed notes changed state Open to Release moved from Incoming to Software Bugs
Fixed in master Fixed in RE24 (2.4.48)
changed notes changed state Release to Closed
This bug is still present in 2.4.49 (ubuntu).
(In reply to sebastien.chaumat from comment #7) > This bug is still present in 2.4.49 (ubuntu). The OpenLDAP 2.4 series is historic and out of support. The memberof overlay is deprecated in OpenLDAP 2.5 and later and the dynlist overlay should be used to provide memberOf support.