Howard Chu wrote: > [email protected] wrote: >> Note that with assertion control always >> Operations error: "unique_search failed" >> is returned even if the attribute values are unique. >> >> I'd really like to get this solved. web2ldap makes use of the assertion >> control to ensure that an entry has not been changed since being >> edited by the >> user. Otherwise I have to implement another vendor-specific hack >> switching off >> this feature when OpenLDAP is used as server. :-( > > First step toward a solution would be providing slapd -d output for the > problem. Probably a sample config would help too.
(Sigh! Did anybody actually read through my report?) Take any slapd.conf with database hdb and add these lines (no other overlays configured): overlay unique unique_attributes uid uidNumber employeeNumber Or any other LDAP-URL-based unique constraint... Then apply a LDIF change record (example below) which contains any of the attributes defined as unique (no matter whether unique constraint is violated or not). ------------------------------- snip ------------------------------- dn: cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local changetype: modify replace: employeeNumber employeeNumber: 456 - ------------------------------- snip ------------------------------- Try these commands (bind-DN is the rootdn here): Without assertion control it works: $ ldapmodify -H ldap://localhost:2071 -D "uid=diradm,ou=schulung,dc=stroeder,dc=local" -w testsecret -f unique.ldif modifying entry "cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local" Assertion control just contains objectClass filter: $ ldapmodify -H ldap://localhost:2071 -D "uid=diradm,ou=schulung,dc=stroeder,dc=local" -w testsecret -f unique.ldif -e 'assert=(objectClass=*)' modifying entry "cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local" This fails: $ ldapmodify -H ldap://localhost:2071 -D "uid=diradm,ou=schulung,dc=stroeder,dc=local" -w testsecret -f unique.ldif -e 'assert=(cn=*)'modifying entry "cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local" ldap_modify: Operations error (1) additional info: unique_search failed Output of slapd -d config,stats,stats2,acl,args,trace,sync: ------------------------------- snip ------------------------------- [..] conn=1000 op=1 modifications: replace: employeeNumber one value, length 3 conn=1000 op=1 MOD dn="cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local" conn=1000 op=1 MOD attr=employeeNumber bdb_dn2entry("cn=anna blume,ou=users,ou=schulung,dc=stroeder,dc=local") => hdb_dn2id("ou=users,ou=schulung,dc=stroeder,dc=local") <= hdb_dn2id: got id=0x6 => hdb_dn2id("cn=anna blume,ou=users,ou=schulung,dc=stroeder,dc=local") <= hdb_dn2id: got id=0xd entry_decode: "" <= entry_decode() ==> unique_modify <cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local> ==> unique_search (|(employeeNumber=456)) put_filter: "(|(employeeNumber=456))" put_filter: OR put_filter_list "(employeeNumber=456)" put_filter: "(employeeNumber=456)" put_filter: simple put_simple_filter: "employeeNumber=456" ber_scanf fmt ({mm}) ber: => hdb_search bdb_dn2entry("ou=schulung,dc=stroeder,dc=local") => access_allowed: search access to "ou=schulung,dc=stroeder,dc=local" "entry" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "ou=schulung,dc=stroeder,dc=local" "cn" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=122 matched="" text="" send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=1 matched="" text="unique_search failed" send_ldap_response: msgid=2 tag=103 err=1 ber_flush2: 34 bytes to sd 16 conn=1000 op=1 RESULT tag=103 err=1 text=unique_search failed connection_get(16) connection_get(16): got connid=1000 connection_read(16): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1304069972 ber_get_next ber_get_next on fd 16 failed errno=0 (Success) conn=1000 op=2 do_unbind conn=1000 op=2 UNBIND connection_close: conn=1000 sd=16 conn=1000 fd=16 closed ------------------------------- snip -------------------------------
