Pryz/terraform-provider-ldap

Skipped RDNs leading to incorrectly updating entry, even if nothing has changed

philsttr opened this issue · 0 comments

Say you have an ldap entry with the following DN:

uid=john.doe,ou=People,dc=example,dc=com

That entry also has an attribute for the RDN

uid=john.doe

Due to this code when reading an existing entry...

if len(attribute.Values) == 1 {
// we don't treat the RDN as an ordinary attribute
a := fmt.Sprintf("%s=%s", attribute.Name, attribute.Values[0])
if strings.HasPrefix(dn, a) {
log.Printf("[DEBUG] ldap_object::read - skipping RDN %q of %q", a, dn)
continue
}
}

... the RDN attribute is skipped

Therefore, when running a terraform apply, with an entry that has not changed, the terraform-provider-ldap thinks that the entry has changed since the entry read from LDAP does not have the RDN attribute (due to it being skipped), but the config does have it.

This leads to the terraform-provider-ldap attempting to update the entry, even though it does not need updating. The plan will show something like:

attributes.3552807835.uid:    "" => "john.doe"

When the entry is attempted to be updated, the ldap server will return an error like this:

* ldap_object.user.1: LDAP Result Code 20 "Attribute Or Value Exists": modify/add: uid: value #0 already exists