Bug 439097

Summary: memberOf: Delete of all present member values not handled correctly
Product: [Retired] 389 Reporter: Nathan Kinder <nkinder>
Component: Server - memberOf Plug-inAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.1.0CC: andrey.ivanov, benl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 23:03:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 249650, 429034, 493682    
Description Flags
CVS Diffs none

Description Nathan Kinder 2008-03-26 22:40:13 UTC
If you delete all member attributes from a group entry, the memberOf attributes
of the members are not updated.

To reproduce:
- Create these two entries:

  dn: cn=group1,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group1

  dn: uid=user1,dc=example,dc=com
  uid: user1
  objectClass: inetorgperson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  objectClass: inetUser
  cn: user
  sn: 1

- Make user1 a member of group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  add: member
  member: uid=user1,dc=example,dc=com

- At this point, the membership attributes should look fine:

  dn: cn=group1,dc=example,dc=com
  member: uid=user1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

- Delete all member attributes from group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  delete: member

- At this point, user1 will still have a memberOf attribute saying that it's in
group1, but it will not be listed as a member in the group1 entry.  The memberOf
attribute should have been removed from user1.

  dn: cn=group1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

Comment 1 Nathan Kinder 2008-03-26 22:46:31 UTC
Another thing to note is that this only occurs when you delete all member
values.  If you specify the value you want to delete (even if it's the only
value), then it is handled correctly.  For example, this modify works fine in
the above case:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  delete: member
  member: uid=user1,dc=example,dc=com

A replace of all present member attributes with no new value also works fine:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  replace: member

Comment 2 Nathan Kinder 2008-03-28 15:31:27 UTC
Created attachment 299482 [details]
CVS Diffs

The code that deals with modify operations that delete member values was not
properly handling the case where there are no values specified for deletion. 
This code would go through member entries specified in the member values to be
deleted, but nothing would happen since no values were specified.

The code that deals with replace modify operations just compares the
pre-operation copy of the group entry with the post-operation copy to see what
member attributes have been changed.  It can then figure out what member
entries need to be updated.  This approach is what we need to use for the
delete all values case as well.

The fix is to check if we have any values specified when dealing with a delete
modify operation, and if not, just call the replace function.

Comment 3 Nathan Kinder 2008-03-28 21:02:36 UTC
Checked into ldapserver (HEAD).  Thanks to Simo for his review!

Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v  <--  memberof.c
new revision: 1.3; previous revision: 1.2

Comment 4 Nathan Kinder 2008-03-28 21:03:18 UTC
Checked into FreeIPA as changeset 744.

changeset:   744:c5834dc6ed37
tag:         tip
user:        Nathan Kinder <nkinder@redhat.com>
date:        Fri Mar 28 08:56:06 2008 -0700
summary:     Fixed handling of modify operations that delete all present member

Comment 6 Chandrasekar Kannan 2009-04-29 23:03:24 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.