Full_Name: Emily Backes
Version: 2.4.25
OS: any
URL:
Submission from: (NULL) (76.88.107.46)
In recent OpenLDAPs (2.4.25 at least, but I haven't found exactly where
it started), memberof interacts badly with accesslog.
In a simple test case with a groupOfNames and two people, if you add a
person to the group, memberOf should set their memberOf opeational
attribute to point to the group. That works! But currently the
accesslog db will only show the change for the memberof update and not
the original group change.
Digging deeper, I found:
==> hdb_add: reqStart=20110422103943.000001Z,cn=log
oc_check_required entry (reqStart=20110422103943.000001Z,cn=log), objectClass
"auditModify"
oc_check_allowed type "objectClass"
oc_check_allowed type "structuralObjectClass"
oc_check_allowed type "reqStart"
oc_check_allowed type "reqEnd"
oc_check_allowed type "reqType"
oc_check_allowed type "reqSession"
oc_check_allowed type "reqAuthzID"
oc_check_allowed type "reqDN"
oc_check_allowed type "reqResult"
oc_check_allowed type "reqMod"
bdb_dn2entry("reqStart=20110422103943.000001Z,cn=log")
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=68 matched="" text=""
The changes are reaching accesslog, but don't make it into the logdb
because their generated DNs based on reqStart match.
reqStart is generated with a generalizedTime stamp where the
microseconds are an incrementing count based on o_tincr, but this does
not seem to be incremented, or incremented enough.
It's not entirely clear why this is a problem now and not earlier.
This may be related to ITS#6766.