Bug 453222

It currently uses the same broad search filter that any find group request uses
which is far too broad. We need to search where cn=GROUP only.

Or provide a list of hits and let the user select which group to delete.

Or do both by adding a new option that does an exact-search match but defaults
to interactive.

I am wondering why we do search at all ? Is the concern that we might find more
than one group with the same name ?

Right. We currently have just one container for groups but in theory could
support more, each with the same name. How useful this would be I don't know.

I think I'll do the reverse. I'll add a -i/--interactive option for doing
list-based removals on dups, otherwise only exact matches will be removed.

additionally, need to confirm that the cn matches the responses.

If there were only an editors group and no other "it" groups then ipa-delgroup
it would remove editors.

Created attachment 310964 [details]
Be more careful when removing groups

The group delete XML-RPC function takes the DN as the argument so it is up to
the client to provide the right group.

This patch runs through the results and explodes the returned DNs looking for
an exact match of cn=GROUP_TO_DELETE

So even if multiple groups are returned we'll do the right thing.

master: 3f85a011c60ead633a04a239cb7b7c8b82fd7017

Verified, test is below: (runs on both X86_64 & I386 32bit RHEL 5.2)

Test 1: result pass
------------------------------------------------------
server64[06/09/08 01:43]~ >ipa-addgroup 
Group name: it
Description: try to confuse server
it successfully added
server64[06/09/08 01:43]~ >ipa-finduser it
No entries found for it
server64[06/09/08 01:44]~ >ipa-findgroup it
2 entries were found. Which one would you like to display?
1: it
2: editors
Choose one: (1 - 2), 0 for all, q to quit: 1
dn: cn=it,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1469
Full Name: it
Description: try to confuse server

server64[06/09/08 01:44]~ >ipa-delgroup it
it successfully deleted


Test 2: test with long group name
----------------------------------------------------
Below is a test for long group name, and it works as well. 
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameA
verylonglonglongnameA successfully added
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameB
verylonglonglongnameB successfully added
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglong
2 entries were found. Which one would you like to display?
1: verylonglonglongnameA
2: verylonglonglongnameB
Choose one: (1 - 2), 0 for all, q to quit: q
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglongnameB
dn: cn=verylonglonglongnameB,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1511
Full Name: verylonglonglongnameB
Description: verylong name try to confuse others
 
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongnameB
verylonglonglongnameB successfully deleted
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongname
Group 'verylonglonglongname' not found.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html