Details
-
Bug
-
Resolution: Fixed
-
Minor
-
2.3.0
-
None
Description
LDAP-Group provisioning obviously requires that the configured singleGroupSearchFilter actually finds existing ldap groups. If it does not find the existing group, PSPNG will repeatedly try to create it, likely resulting in "LDAP: error code 68 - Entry Already Exists" errors
For performance reasons, when PSPNG needs to work with multiple grouper groups, it combines multiple singleGroupSearchFilters into a single OR query and unwinds the (unordered) results with a second, fast in-memory search. Unfortunately, unboundid's in-memory search is not compatible with DN escaping. Therefore, filtering on dn/entryDn/DistinguishedName can lead to "Entry Already Exists" errors when the bulk ldap fetch works but unboundid's in-memory search fails and then PSPNG tries to create another copy of the group.