[Date Prev][Date Next]
Re: (ITS#6670) memberof overlay problem
> Full_Name: Robert Henjes
> Version: 2.4.23-4
> OS: Debian Squeeze
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (126.96.36.199)
> while using memberof overlay I recognized the following problem in conjunction
> with groupOfNames. If you try to add an empty group of names you have to set at
> least one member attribute, since it is mandatory. One could have the idea to
> point to the group dn itself. If having the memberof overlay active this leads
> to a loop while executing an ldapadd. I assume this happens while the memberof
> overlay is triggered. Tried to analyze the slapd debug output, but it stops,
> after the addition is completed.
> Example LDIF file:
> dn: cn=stupid,ou=groups,dc=domain
> objectClass: top
> objectClass: groupOfNames
> cn: stupid
> member: cn=stupid,ou=groups,dc=domain
> The slapd server seems proceed working, except the add process and the subtree
> where the LDIF is gets added. You can not stop the slapd server in a normal way,
> you just have to do a "kill -9". After that the LDIF file seems to be added, but
> I assume, that the memberof overlay representation is inconsistent.
> The memberof overlay should be aware of such situations, even if building loops
> in dn references is in general not a good idea.
The memberof code in HEAD has been patched to ignore these cases. Possibly we
can add additional code to insert the member/memberOf value as appropriate,
but I haven't done so in this patch.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/