[Date Prev][Date Next] [Chronological] [Thread] [Top]

Issue with using ldap replace with memberofâdangling set as error.


I'm working on writing an custom authorization app on top of openldap. I am currently using openldap version 2.4.26, and using the c api to interact with it. I am trying to use the memberof overlay with memberofâdangling set to error and memberofârefint set to true. I noticed a weird issue which happens here.


1. I add a group with one/zero members who is present in the system.

2. I update the group with one or more non existent users using ldap_modify_ext with mod_op as LDAP_MOD_REPLACE. In this case, ldap throws up the error 'send_ldap_result: err=19 matched="" text="adding non-existing object as group member" ' , but still goes ahead and adds the non existing member to the group even though the operation should fail.

Note that in the "memberofâdangling drop" case the non existent users are not added, though no error is thrown. This seems to be working as expected.

Also doing ldap_modify_ext with LDAP_MOD_ADD works as expected too, where the same error this thrown but users are not added.

Am I missing something?

My slapd.conf has the following relevant configurations:

overlay memberof
memberof-group-oc customGroup
memberof-dangling error
memberof-refint true


[Reposting as I do not see my first attempt in the archives]