Hi,

I'm working on writing an custom authorization app on top of openldap. I am currently using openldap version 2.4.26, and using the c api to interact with it. I am trying to use the memberof overlay with memberof−dangling set to error and memberof−refint set to true. I noticed a weird issue which happens here.

Steps:

1. I add a group with one/zero members who is present in the system.

2. I update the group with one or more non existent users using ldap_modify_ext with mod_op as LDAP_MOD_REPLACE. In this case, ldap throws up the error 'send_ldap_result: err=19 matched="" text="adding non-existing object as group member" ' , but still goes ahead and adds the non existing member to the group even though the operation should fail.

Note that in the "memberof−dangling drop" case the non existent users are not added, though no error is thrown. This seems to be working as expected.

Also doing ldap_modify_ext with  LDAP_MOD_ADD works as expected too, where the same error this thrown but users are not added.

Am I missing something?

My slapd.conf has the following relevant configurations:

overlay memberof memberof-group-oc customGroup memberof-dangling error memberof-refint true

Thanks, Vikram

[Reposting as I do not see my first attempt in the archives]