Bug 435152

Summary: Renaming users/groups may lead to problems with ACIs
Product: [Retired] freeIPA Reporter: Simo Sorce <ssorce>
Component: ipa-serverAssignee: David O'Brien <daobrien>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: high    
Version: unspecifiedCC: benl, daobrien, jgalipea, nkinder, rmeggins
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-12 02:37:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 453489    

Description Simo Sorce 2008-02-27 17:17:08 UTC 
Description of problem:

If you rename a user or an entry used in an ACI, the ACI itself is not updated,
therefore said user or group will fall out of the ACI scope.
Comment 1 Rob Crittenden 2008-03-05 19:03:41 UTC 
Confirmed that the referential integrity plug-in doesn't handle this case.

We don't have per-user's ACIs so this will only affect groups. I'll need to run
through all delegations when an RDN change happens and fix any groups that have
changed.
Comment 2 Simo Sorce 2008-03-05 19:19:00 UTC 
We need a plugin to do that, or changes done via ldap directly will break stuff :/
Comment 3 Rob Crittenden 2008-03-05 19:28:05 UTC 
Nathan, Rich. What sort of scope are we looking at for either writing a new
plugin for this or extending the existing referrential integrity plugin?
Comment 4 David O'Brien 2008-04-16 01:41:52 UTC 
Could someone elaborate on the necessary checks/workarounds for this?  I'm
adding it to the 1.0 beta Release Notes.

Is it just a case of updating any ACIs if you rename groups, do you need to edit
or recreate Delegations, both?

thanks
Comment 5 Rob Crittenden 2008-04-16 19:23:36 UTC 
You should just need to update the delegation(s).
Comment 6 David O'Brien 2008-04-17 02:37:31 UTC 
(In reply to comment #5)
> You should just need to update the delegation(s).

Now in 1.0 beta Release Notes
Comment 7 Chandrasekar Kannan 2008-05-08 23:55:36 UTC 
cloned as DS bug 445769
Comment 8 David O'Brien 2008-05-16 11:15:46 UTC 
Destined for Adminstrator's Guide.
Comment 9 David O'Brien 2008-07-17 05:03:32 UTC 
Added to Caution in Admin Guide in section on Editing Groups.
Comment 10 Jenny Severance 2008-11-25 18:39:29 UTC 
Fix Verified:

The following warning exists in the Administrator Guide:

Warning

Do not change the Group Name or GID unless absolutely necessary, because it can have unexpected effects on permissions, ACIs, and other aspects of IPA functionality.

If you rename a group used in an ACI, the ACI itself is not updated, the result being that the group will fall out of the ACI scope. To avoid this issue, ensure that any changes to group names are reflected in IPA Delegations. Red Hat Enterprise IPA does not currently support per-user ACIs, so this issue only affects groups.