New subject: [Issue 10398] memberof and refint clash on subtree renames

7 Oct 2025


      https://bugs.openldap.org/show_bug.cgi?id=10398
Issue ID: 10398
           Summary: memberof and refint clash on subtree renames
           Product: OpenLDAP
           Version: 2.6.10
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: overlays
          Assignee: bugs@openldap.org
          Reporter: hyc@openldap.org
  Target Milestone: ---
If a group and its members are under a subtree that got renamed, refint will
trigger, and try to update all the relevant DNs. When it processes the group
entry, it will issue Modifies to update the DNs of the group's members. The
memberof overlay will see these modifies and start trying to update the
corresponding memberof values but will only succeed halfway.
It will try to delete the old memberof value from the old member DN's entry,
which fails because the subtree has renamed all the entries. Then it will try
to add the new memberof value to the new member DN's entry, which succeeds.
Then eventually refint will try to process the member's. It will try to delete
the old memberof value from the new entry, and add the new memberof value to
the entry. This modify request fails because the new value is already present.
The entry is left with a memberof value that points to the obsolete group DN.
The solution is for refint to set the manageDsaIt control on its repair ops,
and for memberof to ignore Modify requests with this control set.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 10398] New: memberof and refint clash on subtree renames