From 33b7ed9a7910936a30bf3fd8f1aeff9321e1efa4 Mon Sep 17 00:00:00 2001
From: James Chapman <jachapma@redhat.com>
Date: Tue, 4 Feb 2025 15:40:16 +0000
Subject: [PATCH] Issue 6566 - RI plugin failure to handle a modrdn for rename
 of member of multiple groups (#6567)

Bug description:
With AM and RI plugins enabled, the rename of a user that is part of multiple groups
fails with a "value exists" error.

Fix description:
For a modrdn the RI plugin creates a new DN, before a modify is attempted check
if the new DN already exists in the attr being updated.

Fixes: https://github.com/389ds/389-ds-base/issues/6566

Reviewed by: @progier389 , @tbordaz  (Thank you)
---
 ldap/servers/plugins/referint/referint.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c
index 468fdc2391..218863ea58 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -924,6 +924,7 @@ _update_all_per_mod(Slapi_DN *entrySDN, /* DN of the searched entry */
 {
     Slapi_Mods *smods = NULL;
     char *newDN = NULL;
+    struct berval bv = {0};
     char **dnParts = NULL;
     char *sval = NULL;
     char *newvalue = NULL;
@@ -1026,22 +1027,30 @@ _update_all_per_mod(Slapi_DN *entrySDN, /* DN of the searched entry */
             }
             /* else: normalize_rc < 0) Ignore the DN normalization error for now. */
 
+            bv.bv_val = newDN;
+            bv.bv_len = strlen(newDN);
             p = PL_strstr(sval, slapi_sdn_get_ndn(origDN));
             if (p == sval) {
                 /* (case 1) */
                 slapi_mods_add_string(smods, LDAP_MOD_DELETE, attrName, sval);
-                slapi_mods_add_string(smods, LDAP_MOD_ADD, attrName, newDN);
-
+                /* Add only if the attr value does not exist */
+                if (VALUE_PRESENT != attr_value_find_wsi(attr, &bv, &v)) {
+                    slapi_mods_add_string(smods, LDAP_MOD_ADD, attrName, newDN);
+                }
             } else if (p) {
                 /* (case 2) */
                 slapi_mods_add_string(smods, LDAP_MOD_DELETE, attrName, sval);
                 *p = '\0';
                 newvalue = slapi_ch_smprintf("%s%s", sval, newDN);
-                slapi_mods_add_string(smods, LDAP_MOD_ADD, attrName, newvalue);
+                /* Add only if the attr value does not exist */
+                if (VALUE_PRESENT != attr_value_find_wsi(attr, &bv, &v)) {
+                    slapi_mods_add_string(smods, LDAP_MOD_ADD, attrName, newvalue);
+                }
                 slapi_ch_free_string(&newvalue);
             }
             /* else: value does not include the modified DN.  Ignore it. */
             slapi_ch_free_string(&sval);
+            bv = (struct berval){0};
         }
         rc = _do_modify(mod_pb, entrySDN, slapi_mods_get_ldapmods_byref(smods));
         if (rc) {