From 4d93699a71acb061c5787d2b8b61a0417ce02808 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Fri, 22 Jan 2010 09:37:08 -0800 Subject: Bug 536703 - Don't send empty mod to AD for mapped DN values When using winsync, setting a mapped DN attribute (such as seeAlso) to a DN outside the scope of the sync agreement causes an empty modify operation to be sent to AD. This causes AD to respond with LDAP error 89, which triggers the update to abort. The problem is that windows_update_remote_entry() uses a flag to determine if it has a modify to send to AD. This flag is set by windows_generate_update_mods(), but the mods are empty since it is detecting that the DN used in seeAlso is not in the scope of the sync agreement. The fix is to only set the modify flag if we actually have mods to send. --- ldap/servers/plugins/replication/windows_protocol_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index 2c31c4f9..537e453a 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -3818,7 +3818,11 @@ windows_generate_update_mods(Private_Repl_Protocol *prp,Slapi_Entry *remote_entr slapi_mods_add_mod_values(smods,LDAP_MOD_ADD,local_type,valueset_get_valuearray(vs)); } } - *do_modify = 1; + + /* Only set the do_modify flag if smods is not empty */ + if (slapi_mods_get_num_mods(smods) > 0) { + *do_modify = 1; + } } } -- cgit