[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8923) compare op with dynlist returns wrong code when requested DN is in scope but doesn't exist
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8923) compare op with dynlist returns wrong code when requested DN is in scope but doesn't exist
- From: ondra@mistotebe.net
- Date: Tue, 24 Sep 2019 10:40:59 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On Wed, Oct 03, 2018 at 08:25:44PM +0000, quanah@openldap.org wrote:
> In a situation where a dynamic group has been created and a compare operation is
> run with a DN that doesn't exist but is within the scope of the dynamic group
> URI, the ldapcompare operation will incorrectly return an error 80 instead of
> error 5 (compare FALSE).
>
> For example, if I have:
>
> dn: cn=planning,ou=Groups,dc=example,dc=com
> objectClass: groupOfURLs
> cn: planning
> memberURL: ldap:///ou=planning,dc=example,dc=com??sub?(objectClass=inetorgpers
> on)
>
> and I do an ldapcompare with:
>
> ldapcompare -x -H ldap://anvil2.rb.symas.net -D dc=example,dc=com -w secret
> cn=planning,ou=Groups,dc=example,dc=com "member:cn=Ramakant
> Wolow,ou=Planning,dc=example,dc=com"
>
> (i.e., this entry doesn't exist in the DB), I get:
>
> Compare Result: Other (e.g., implementation specific) error (80)
> UNDEFINED
>
> This appears to be due to the fact that in this scenario, slapd attempts to find
> the DN in the underlying DB and it doesn't exist, so an err=32 is returned back.
> This is incorrectly interpreted as an unknown error, thus the err=80 result.
> Instead it should be treated as "not a member of the group".
I thought that exact scenario was being tested here? And that one
passes.
https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=tests/scripts/test044-dynlist;h=86885cd1150f765d4e42695947fcb6f63965a073;hb=refs/heads/master#l471
--
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP