Bug 435152
Summary: | Renaming users/groups may lead to problems with ACIs | ||
---|---|---|---|
Product: | [Retired] freeIPA | Reporter: | Simo Sorce <ssorce> |
Component: | ipa-server | Assignee: | David O'Brien <daobrien> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | low | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | benl, daobrien, jgalipea, nkinder, rmeggins |
Target Milestone: | --- | Keywords: | Documentation |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-12 02:37:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 453489 |
Description
Simo Sorce
2008-02-27 17:17:08 UTC
Confirmed that the referential integrity plug-in doesn't handle this case. We don't have per-user's ACIs so this will only affect groups. I'll need to run through all delegations when an RDN change happens and fix any groups that have changed. We need a plugin to do that, or changes done via ldap directly will break stuff :/ Nathan, Rich. What sort of scope are we looking at for either writing a new plugin for this or extending the existing referrential integrity plugin? Could someone elaborate on the necessary checks/workarounds for this? I'm adding it to the 1.0 beta Release Notes. Is it just a case of updating any ACIs if you rename groups, do you need to edit or recreate Delegations, both? thanks You should just need to update the delegation(s). (In reply to comment #5) > You should just need to update the delegation(s). Now in 1.0 beta Release Notes cloned as DS bug 445769 Destined for Adminstrator's Guide. Added to Caution in Admin Guide in section on Editing Groups. Fix Verified: The following warning exists in the Administrator Guide: Warning Do not change the Group Name or GID unless absolutely necessary, because it can have unexpected effects on permissions, ACIs, and other aspects of IPA functionality. If you rename a group used in an ACI, the ACI itself is not updated, the result being that the group will fall out of the ACI scope. To avoid this issue, ensure that any changes to group names are reflected in IPA Delegations. Red Hat Enterprise IPA does not currently support per-user ACIs, so this issue only affects groups. |