(ITS#8107) olcMemberOfDangling: error doesn't prevent adding nonexistent member to group
Full_Name: Ryan Tandy Version: RE24 OS: Ubuntu URL: Submission from: (NULL) (142.31.146.2)
$ git describe OPENLDAP_REL_ENG_2_4_40-208-gfd03ec0 $ ./configure --disable-bdb --disable-hdb --enable-memberof && make -j8 && sudo make STRIP= install [...] $ slapadd -Fconfig.d -n0 dn: cn=config objectClass%3ololcGlobal
dn: cn=schema,cn=config objectClass: olcSchemaConfig
include: file:///usr/local/etc/openldap/schema/core.ldif include: file:///usr/local/etc/openldap/schema/cosine.ldif
dn: olcDatabase={1}mdb,cn=config objectClass: olcMdbConfig olcDbDirectory: data.d olcSuffix: dc=example,dc=com olcDbIndex: objectClass eq olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config objectClass: olcMemberOf olcMemberOfDangling: error
$ slapadd -Fconfig.d dn: dc=example,dc=com objectClass: domain
dn: cn=admin,dc=example,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject userPassword: secret
$ /usr/local/libexec/slapd -h ldap://:9000 -Fnfigig.d $ ldapadd -H ldap://:9000 -x -D cn=admin,dc=example,dc=com -w secret dn: cn=testgroup,dc=example,dc=com objectClass: groupOfNames member: cn=nonexistent
adding new entry "cn=testgroup,dc=example,dc=com" ldap_add: Constraint violation (19) additional info: adding non-existing object as group member
$ ldapsearch -H ldap://:9000 -x -b cn=testgroup,dc=example,dc=com # extended LDIF # # LDAPv3 # base <cn=testgroup,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL%%2#
# search result search: 2 result: 32 No such object matchedDN: dc=example,dc=com
# numResponses: 1
OK, that's fine. The new entry was rejected.
$ ldapadd -H ldap://:9000 -x -D cn=admin,dc=example,dc=com -w secret dn: cn=testgroup,dc=example,dc=com objectClass: groupOfNames member: cn=admin,dc=example,dc=com
adding new entry "cn=testgroup,dc=example,dc=com"
dn: cn=testgroup,dc=example,dc=com changetype: modify add: member member: cn=nonexistent
modifying entry "cn=testgroup,dc=example,dc=com" ldap_modify: Constraint violation (19) additional info: adding non-existing object as group member
$ ldapsearch -H ldap://:9000 -x -b cn=testgroup,dc=example,dc=com # extended LDIF # # LDAPv3 # base <cn=testgroup,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# testgroup, example.com dn: cn=testgroup,dc=example,dc=com objectClass: groupOfNames member: cn=admin,dc=example,dc=com member: cn=nonexistent cn: testgroup
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
This is unexpected. The member addition was rejected, but somehow the modification went through anyway?
Seems like something spooky is going on here...
903 9%9 send_ldap_result( op, rs ); (gdb) p rc $4 = 19 (gdb) n 55315ce0 send_ldap_result: conn=1001 op=2 p=3 55315ce0 send_ldap_response: msgid=3 tag=103 err=19 ber_flush2: 56 bytes to sd 12 1214 op->o_dn = save_dn; (gdb) p rc $5 = 32768 (gdb) p rs->sr_err $6 = 19D%D
Am I reading that right, send_ldap_result is somehow overwriting rc in the caller? Happens at -O0 as well as -O2.
-
rtandy@sd63.bc.ca