Full_Name: Emily Backes Version: 2.4.25 OS: any URL: Submission from: (NULL) (76.88.107.46)

In recent OpenLDAPs (2.4.25 at least, but I haven't found exactly where it started), memberof interacts badly with accesslog.

In a simple test case with a groupOfNames and two people, if you add a person to the group, memberOf should set their memberOf opeational attribute to point to the group. That works! But currently the accesslog db will only show the change for the memberof update and not the original group change.

Digging deeper, I found:

==> hdb_add: reqStart=20110422103943.000001Z,cn=log oc_check_required entry (reqStart=20110422103943.000001Z,cn=log), objectClass "auditModify" oc_check_allowed type "objectClass" oc_check_allowed type "structuralObjectClass" oc_check_allowed type "reqStart" oc_check_allowed type "reqEnd" oc_check_allowed type "reqType" oc_check_allowed type "reqSession" oc_check_allowed type "reqAuthzID" oc_check_allowed type "reqDN" oc_check_allowed type "reqResult" oc_check_allowed type "reqMod" bdb_dn2entry("reqStart=20110422103943.000001Z,cn=log") send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=68 matched="" text=""

The changes are reaching accesslog, but don't make it into the logdb because their generated DNs based on reqStart match.

reqStart is generated with a generalizedTime stamp where the microseconds are an incrementing count based on o_tincr, but this does not seem to be incremented, or incremented enough.

It's not entirely clear why this is a problem now and not earlier.

This may be related to ITS#6766.