henjes@informatik.uni-wuerzburg.de wrote:
Full_Name: Robert Henjes Version: 2.4.23-4 OS: Debian Squeeze URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (132.187.12.89)
Hi,
while using memberof overlay I recognized the following problem in conjunction with groupOfNames. If you try to add an empty group of names you have to set at least one member attribute, since it is mandatory. One could have the idea to point to the group dn itself. If having the memberof overlay active this leads to a loop while executing an ldapadd. I assume this happens while the memberof overlay is triggered. Tried to analyze the slapd debug output, but it stops, after the addition is completed.
Example LDIF file: dn: cn=stupid,ou=groups,dc=domain objectClass: top objectClass: groupOfNames cn: stupid member: cn=stupid,ou=groups,dc=domain
The slapd server seems proceed working, except the add process and the subtree where the LDIF is gets added. You can not stop the slapd server in a normal way, you just have to do a "kill -9". After that the LDIF file seems to be added, but I assume, that the memberof overlay representation is inconsistent.
The memberof overlay should be aware of such situations, even if building loops in dn references is in general not a good idea.
The memberof code in HEAD has been patched to ignore these cases. Possibly we can add additional code to insert the member/memberOf value as appropriate, but I haven't done so in this patch.