[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8923) compare op with dynlist returns wrong code when requested DN is in scope but doesn't exist

Full_Name: Quanah Gibson-Mount
Version: HEAD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

In a situation where a dynamic group has been created and a compare operation is
run with a DN that doesn't exist but is within the scope of the dynamic group
URI, the ldapcompare operation will incorrectly return an error 80 instead of
error 5 (compare FALSE).

For example, if I have:

dn: cn=planning,ou=Groups,dc=example,dc=com
objectClass: groupOfURLs
cn: planning
memberURL: ldap:///ou=planning,dc=example,dc=com??sub?(objectClass=inetorgpers

and I do an ldapcompare with:

ldapcompare -x -H ldap://anvil2.rb.symas.net -D dc=example,dc=com -w secret
cn=planning,ou=Groups,dc=example,dc=com "member:cn=Ramakant

(i.e., this entry doesn't exist in the DB), I get:

Compare Result: Other (e.g., implementation specific) error (80)

This appears to be due to the fact that in this scenario, slapd attempts to find
the DN in the underlying DB and it doesn't exist, so an err=32 is returned back.
 This is incorrectly interpreted as an unknown error, thus the err=80 result. 
Instead it should be treated as "not a member of the group".