[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8107) olcMemberOfDangling: error doesn't prevent adding nonexistent member to group

To: openldap-its@OpenLDAP.org
Subject: (ITS#8107) olcMemberOfDangling: error doesn't prevent adding nonexistent member to group
From: rtandy@sd63.bc.ca
Date: Fri, 17 Apr 2015 19:25:52 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Ryan Tandy
Version: RE24
OS: Ubuntu
URL: 
Submission from: (NULL) (142.31.146.2)


$ git describe
OPENLDAP_REL_ENG_2_4_40-208-gfd03ec0
$ ./configure --disable-bdb --disable-hdb --enable-memberof && make -j8 && sudo
make STRIP= install
[...]
$ slapadd -Fconfig.d -n0
dn: cn=config
objectClass%3ololcGlobal

dn: cn=schema,cn=config
objectClass: olcSchemaConfig

include: file:///usr/local/etc/openldap/schema/core.ldif
include: file:///usr/local/etc/openldap/schema/cosine.ldif

dn: olcDatabase={1}mdb,cn=config
objectClass: olcMdbConfig
olcDbDirectory: data.d
olcSuffix: dc=example,dc=com
olcDbIndex: objectClass eq
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
olcMemberOfDangling: error

$ slapadd -Fconfig.d
dn: dc=example,dc=com
objectClass: domain

dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword: secret

$ /usr/local/libexec/slapd -h ldap://:9000 -Fnfigig.d
$ ldapadd -H ldap://:9000 -x -D cn=admin,dc=example,dc=com -w secret
dn: cn=testgroup,dc=example,dc=com
objectClass: groupOfNames
member: cn=nonexistent

adding new entry "cn=testgroup,dc=example,dc=com"
ldap_add: Constraint violation (19)
	additional info: adding non-existing object as group member

$ ldapsearch -H ldap://:9000 -x -b cn=testgroup,dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <cn=testgroup,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL%%2#

# search result
search: 2
result: 32 No such object
matchedDN: dc=example,dc=com

# numResponses: 1

OK, that's fine. The new entry was rejected.

$ ldapadd -H ldap://:9000 -x -D cn=admin,dc=example,dc=com -w secret
dn: cn=testgroup,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com

adding new entry "cn=testgroup,dc=example,dc=com"

dn: cn=testgroup,dc=example,dc=com
changetype: modify
add: member
member: cn=nonexistent

modifying entry "cn=testgroup,dc=example,dc=com"
ldap_modify: Constraint violation (19)
	additional info: adding non-existing object as group member

$ ldapsearch -H ldap://:9000 -x -b cn=testgroup,dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <cn=testgroup,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# testgroup, example.com
dn: cn=testgroup,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com
member: cn=nonexistent
cn: testgroup

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This is unexpected. The member addition was rejected, but somehow the
modification went through anyway?

Seems like something spooky is going on here...

903						9%9	send_ldap_result( op, rs );
(gdb) p rc
$4 = 19
(gdb) n
55315ce0 send_ldap_result: conn=1001 op=2 p=3
55315ce0 send_ldap_response: msgid=3 tag=103 err=19
ber_flush2: 56 bytes to sd 12
1214		op->o_dn = save_dn;
(gdb) p rc
$5 = 32768
(gdb) p rs->sr_err
$6 = 19D%D

Am I reading that right, send_ldap_result is somehow overwriting rc in the
caller? Happens at -O0 as well as -O2.

Prev by Date: Re: (ITS#8106) Retry pwrite operations in case of EINTR
Next by Date: Re: (ITS#8106) Retry pwrite operations in case of EINTR
Index(es):
- Chronological
- Thread