When removing the last value from an attribute in ldap_del_values()

the actuall attribute needs to removed instead of leaving back an
empty attribute. Empty attributes are not valid and fail later on
in ldap_modify(). By calling ldap_del_attribute() in this case
properly removes the attribute and with that validate_entry() no
longer fails later on.
OK jmatthew@

2 files changed, 8 insertions, 4 deletions

diff --git a/usr.sbin/ldapd/attributes.c b/usr.sbin/ldapd/attributes.c
index 2ed3a8b4fb7..7c50ecf04ae 100644
--- a/usr.sbin/ldapd/attributes.c
+++ b/usr.sbin/ldapd/attributes.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: attributes.c,v 1.6 2019/10/24 12:39:26 tb Exp $ */
+/*	$OpenBSD: attributes.c,v 1.7 2021/12/20 13:26:11 claudio Exp $ */
 
 /*
  * Copyright (c) 2009 Martin Hedenfalk <martin@bzero.se>
@@ -181,7 +181,7 @@ ldap_del_attribute(struct ber_element *entry, const char *attrdesc)
 
 	attr = entry->be_sub;
 	while (attr) {
-		if (ober_scanf_elements(attr, "{s(", &s) != 0) {
+		if (ober_scanf_elements(attr, "{s", &s) != 0) {
 			log_warnx("failed to parse attribute");
 			return -1;
 		}
@@ -241,6 +241,9 @@ ldap_del_values(struct ber_element *elm, struct ber_element *vals)
 		}
 	}
 
+	if (old_vals->be_sub == NULL)
+		return 1;
+
 	return 0;
 }
 
diff --git a/usr.sbin/ldapd/modify.c b/usr.sbin/ldapd/modify.c
index d2961063926..629bfb59df2 100644
--- a/usr.sbin/ldapd/modify.c
+++ b/usr.sbin/ldapd/modify.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: modify.c,v 1.23 2019/10/24 12:39:26 tb Exp $ */
+/*	$OpenBSD: modify.c,v 1.24 2021/12/20 13:26:11 claudio Exp $ */
 
 /*
  * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
@@ -334,7 +334,8 @@ ldap_modify(struct request *req)
 			 */
 			if (vals->be_sub &&
 			    vals->be_sub->be_type == BER_TYPE_OCTETSTRING) {
-				ldap_del_values(a, vals);
+				if (ldap_del_values(a, vals) == 1)
+					ldap_del_attribute(entry, attr);
 			} else {
 				ldap_del_attribute(entry, attr);
 			}