https://bugs.openldap.org/show_bug.cgi?id=10398
Issue ID: 10398
Summary: memberof and refint clash on subtree renames
Product: OpenLDAP
Version: 2.6.10
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
If a group and its members are under a subtree that got renamed, refint will
trigger, and try to update all the relevant DNs. When it processes the group
entry, it will issue Modifies to update the DNs of the group's members. The
memberof overlay will see these modifies and start trying to update the
corresponding memberof values but will only succeed halfway.
It will try to delete the old memberof value from the old member DN's entry,
which fails because the subtree has renamed all the entries. Then it will try
to add the new memberof value to the new member DN's entry, which succeeds.
Then eventually refint will try to process the member's. It will try to delete
the old memberof value from the new entry, and add the new memberof value to
the entry. This modify request fails because the new value is already present.
The entry is left with a memberof value that points to the obsolete group DN.
The solution is for refint to set the manageDsaIt control on its repair ops,
and for memberof to ignore Modify requests with this control set.
--
You are receiving this mail because:
You are on the CC list for the issue.
