Howard Chu wrote:
> michael(a)stroeder.com wrote:
>> Note that with assertion control always
>> Operations error: "unique_search failed"
>> is returned even if the attribute values are unique.
>>
>> I'd really like to get this solved. web2ldap makes use of the assertion
>> control to ensure that an entry has not been changed since being
>> edited by the
>> user. Otherwise I have to implement another vendor-specific hack
>> switching off
>> this feature when OpenLDAP is used as server. :-(
>
> First step toward a solution would be providing slapd -d output for the
> problem. Probably a sample config would help too.
(Sigh! Did anybody actually read through my report?)
Take any slapd.conf with database hdb and add these lines (no other overlays
configured):
overlay unique
unique_attributes uid uidNumber employeeNumber
Or any other LDAP-URL-based unique constraint...
Then apply a LDIF change record (example below) which contains any of the
attributes defined as unique (no matter whether unique constraint is violated
or not).
------------------------------- snip -------------------------------
dn: cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local
changetype: modify
replace: employeeNumber
employeeNumber: 456
-
------------------------------- snip -------------------------------
Try these commands (bind-DN is the rootdn here):
Without assertion control it works:
$ ldapmodify -H ldap://localhost:2071 -D
"uid=diradm,ou=schulung,dc=stroeder,dc=local" -w testsecret -f unique.ldif
modifying entry "cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local"
Assertion control just contains objectClass filter:
$ ldapmodify -H ldap://localhost:2071 -D
"uid=diradm,ou=schulung,dc=stroeder,dc=local" -w testsecret -f unique.ldif -e
'assert=(objectClass=*)'
modifying entry "cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local"
This fails:
$ ldapmodify -H ldap://localhost:2071 -D
"uid=diradm,ou=schulung,dc=stroeder,dc=local" -w testsecret -f unique.ldif -e
'assert=(cn=*)'modifying entry "cn=Anna
Blume,ou=Users,ou=schulung,dc=stroeder,dc=local"
ldap_modify: Operations error (1)
additional info: unique_search failed
Output of slapd -d config,stats,stats2,acl,args,trace,sync:
------------------------------- snip -------------------------------
[..]
conn=1000 op=1 modifications:
replace: employeeNumber
one value, length 3
conn=1000 op=1 MOD dn="cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local"
conn=1000 op=1 MOD attr=employeeNumber
bdb_dn2entry("cn=anna blume,ou=users,ou=schulung,dc=stroeder,dc=local")
=> hdb_dn2id("ou=users,ou=schulung,dc=stroeder,dc=local")
<= hdb_dn2id: got id=0x6
=> hdb_dn2id("cn=anna blume,ou=users,ou=schulung,dc=stroeder,dc=local")
<= hdb_dn2id: got id=0xd
entry_decode: ""
<= entry_decode()
==> unique_modify <cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local>
==> unique_search (|(employeeNumber=456))
put_filter: "(|(employeeNumber=456))"
put_filter: OR
put_filter_list "(employeeNumber=456)"
put_filter: "(employeeNumber=456)"
put_filter: simple
put_simple_filter: "employeeNumber=456"
ber_scanf fmt ({mm}) ber:
=> hdb_search
bdb_dn2entry("ou=schulung,dc=stroeder,dc=local")
=> access_allowed: search access to "ou=schulung,dc=stroeder,dc=local" "entry"
requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "ou=schulung,dc=stroeder,dc=local" "cn"
requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=122 matched="" text=""
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=1 matched="" text="unique_search failed"
send_ldap_response: msgid=2 tag=103 err=1
ber_flush2: 34 bytes to sd 16
conn=1000 op=1 RESULT tag=103 err=1 text=unique_search failed
connection_get(16)
connection_get(16): got connid=1000
connection_read(16): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
op tag 0x42, time 1304069972
ber_get_next
ber_get_next on fd 16 failed errno=0 (Success)
conn=1000 op=2 do_unbind
conn=1000 op=2 UNBIND
connection_close: conn=1000 sd=16
conn=1000 fd=16 closed
------------------------------- snip -------------------------------