[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8107) olcMemberOfDangling: error doesn't prevent adding nonexistent member to group
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8107) olcMemberOfDangling: error doesn't prevent adding nonexistent member to group
- From: rtandy@sd63.bc.ca
- Date: Fri, 17 Apr 2015 19:25:52 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Ryan Tandy
Version: RE24
OS: Ubuntu
URL:
Submission from: (NULL) (142.31.146.2)
$ git describe
OPENLDAP_REL_ENG_2_4_40-208-gfd03ec0
$ ./configure --disable-bdb --disable-hdb --enable-memberof && make -j8 && sudo
make STRIP= install
[...]
$ slapadd -Fconfig.d -n0
dn: cn=config
objectClass%3ololcGlobal
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
include: file:///usr/local/etc/openldap/schema/core.ldif
include: file:///usr/local/etc/openldap/schema/cosine.ldif
dn: olcDatabase={1}mdb,cn=config
objectClass: olcMdbConfig
olcDbDirectory: data.d
olcSuffix: dc=example,dc=com
olcDbIndex: objectClass eq
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
olcMemberOfDangling: error
$ slapadd -Fconfig.d
dn: dc=example,dc=com
objectClass: domain
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword: secret
$ /usr/local/libexec/slapd -h ldap://:9000 -Fnfigig.d
$ ldapadd -H ldap://:9000 -x -D cn=admin,dc=example,dc=com -w secret
dn: cn=testgroup,dc=example,dc=com
objectClass: groupOfNames
member: cn=nonexistent
adding new entry "cn=testgroup,dc=example,dc=com"
ldap_add: Constraint violation (19)
additional info: adding non-existing object as group member
$ ldapsearch -H ldap://:9000 -x -b cn=testgroup,dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <cn=testgroup,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL%%2#
# search result
search: 2
result: 32 No such object
matchedDN: dc=example,dc=com
# numResponses: 1
OK, that's fine. The new entry was rejected.
$ ldapadd -H ldap://:9000 -x -D cn=admin,dc=example,dc=com -w secret
dn: cn=testgroup,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com
adding new entry "cn=testgroup,dc=example,dc=com"
dn: cn=testgroup,dc=example,dc=com
changetype: modify
add: member
member: cn=nonexistent
modifying entry "cn=testgroup,dc=example,dc=com"
ldap_modify: Constraint violation (19)
additional info: adding non-existing object as group member
$ ldapsearch -H ldap://:9000 -x -b cn=testgroup,dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <cn=testgroup,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# testgroup, example.com
dn: cn=testgroup,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com
member: cn=nonexistent
cn: testgroup
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This is unexpected. The member addition was rejected, but somehow the
modification went through anyway?
Seems like something spooky is going on here...
903 9%9 send_ldap_result( op, rs );
(gdb) p rc
$4 = 19
(gdb) n
55315ce0 send_ldap_result: conn=1001 op=2 p=3
55315ce0 send_ldap_response: msgid=3 tag=103 err=19
ber_flush2: 56 bytes to sd 12
1214 op->o_dn = save_dn;
(gdb) p rc
$5 = 32768
(gdb) p rs->sr_err
$6 = 19D%D
Am I reading that right, send_ldap_result is somehow overwriting rc in the
caller? Happens at -O0 as well as -O2.