1) pdb_ldap allows to map the same SID twice (with two distinct gids) while creating/modifying a mapping. So we don't have exactly 1 SID <=> 1 GID. It is impossible to delete such a mapping (mapped twice) after its creation. 2) pdb_ldap.c also allows to use a gid already mapped while modifying a mapping (there is no check).
Created attachment 375 [details] Provides additional checks for pdb_ldap when creating/modifying group mapping entries ldapsam_add_group_mapping_entry : Verify if the SID involved in a new mapping is already used in another mapping to avoid same SID mapped twice to different unix groups. ldapsam_update_group_mapping_entry : Verify if a gid specified while modifying an existing mapping is not involved in another one. Also modified error messages to make them easier to understand.
Volker, I'll leave this for you to consider.
moving to 3.0
resetting component
later.