Fixed handling of modify operations that delete all present member

values without specifying the values to delete in the memberOf
plug-in.  Member entries were not being updated because the code
used the values in the mod to find the member entries to update.

The fix is to detect when a delete modify has no values specified
and just use the replace code since it compares the pre-op and
post-op copies of the group to figure out what member entries to
update.

439097

1 files changed, 13 insertions, 2 deletions

diff --git a/ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c b/ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c
index c8ad71b36..b8b3b046b 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c
@@ -652,8 +652,19 @@ int ipamo_postop_modify(Slapi_PBlock *pb)
 				
 				case LDAP_MOD_DELETE:
 					{
-						/* remove group DN from targets */
-						ipamo_del_smod_list(pb, dn, smod);
+						/* If there are no values in the smod, we should
+						 * just do a replace instead.  The  user is just
+						 * trying to delete all members from this this
+						 * entry, which the replace code deals with. */
+						if (slapi_mod_get_num_values(smod) == 0)
+						{
+							memberof_replace_list(pb, dn);
+						}
+						else
+						{
+							/* remove group DN from target values in smod*/
+							memberof_del_smod_list(pb, dn, smod);
+						}
 						break;
 					}