On Wed, Oct 03, 2018 at 08:25:44PM +0000, quanah@openldap.org wrote:

In a situation where a dynamic group has been created and a compare operation is run with a DN that doesn't exist but is within the scope of the dynamic group URI, the ldapcompare operation will incorrectly return an error 80 instead of error 5 (compare FALSE).

For example, if I have:

dn: cn=planning,ou=Groups,dc=example,dc=com objectClass: groupOfURLs cn: planning memberURL: ldap:///ou=planning,dc=example,dc=com??sub?(objectClass=inetorgpers on)

and I do an ldapcompare with:

ldapcompare -x -H ldap://anvil2.rb.symas.net -D dc=example,dc=com -w secret cn=planning,ou=Groups,dc=example,dc=com "member:cn=Ramakant Wolow,ou=Planning,dc=example,dc=com"

(i.e., this entry doesn't exist in the DB), I get:

Compare Result: Other (e.g., implementation specific) error (80) UNDEFINED

This appears to be due to the fact that in this scenario, slapd attempts to find the DN in the underlying DB and it doesn't exist, so an err=32 is returned back. This is incorrectly interpreted as an unknown error, thus the err=80 result. Instead it should be treated as "not a member of the group".

I thought that exact scenario was being tested here? And that one passes. https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=tests/scri...