Bug 656515

Summary: Allow Name and Optional UID syntax for grouping attributes
Product: [Retired] 389 Reporter: Nathan Kinder <nkinder>
Component: Server - memberOf Plug-inAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: high    
Version: 1.2.6CC: amsharma, andrey.ivanov, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:59:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 639035    
Bug Blocks: 576869    
Attachments:
Description Flags
Patch nkinder: review?, rmeggins: review+

Description Nathan Kinder 2010-11-23 22:21:35 UTC 
The config validation code in the memberOf plug-in currently requires that the grouping attribute be defined to use the Distinguished Name syntax.  The uniqueMember attribute is still a common method of grouping users, but this attribute is defined to use the Name and Optional UID syntax.  This syntax contains a DN plus an optional hex-valued UID that can be appended to the end.

We should allow attribute defined to use the Name and Optional UID syntax to be used as memberOf grouping attributes.  We will not support one actually using the optional UID portion in the value, but this is extremely rare in practice.
Comment 1 Nathan Kinder 2010-11-23 22:22:54 UTC 
Created attachment 462466 [details]
Patch
Comment 2 Nathan Kinder 2010-11-23 23:02:58 UTC 
Pushed to master.  Thanks to Rich for his review!

Counting objects: 15, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 1.08 KiB, done.
Total 8 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   36dbaf1..b989f1d  master -> master
Comment 3 Andrey Ivanov 2010-11-24 09:31:38 UTC 
Documentation Impact :

I think this notice ("one should be aware that memberOf will not work if the optional UID part present in an attribute with <Name and Optional UID > syntax. The usage of the optional UID portion in the value is extremely rare in practice.") should be added to the documentation on memberOf plug-in of the future RedHat release.
Comment 5 Jenny Severance 2011-05-16 18:16:09 UTC 
Can you please add steps to verify?  An example of Name and Optional UID syntax used as memberOf grouping attributes? Thanks
Comment 6 Nathan Kinder 2011-05-17 16:53:39 UTC 
(In reply to comment #5)
> Can you please add steps to verify?  An example of Name and Optional UID syntax
> used as memberOf grouping attributes? Thanks

Configure the memberOf plug-in and set "memberofgroupattr" to "uniqueMember" in the configuration entry.  This config entry should not be rejected as an error.
Comment 7 Amita Sharma 2011-06-07 10:26:46 UTC 
Not rejected ---
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.8.2
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: memberof plugin

Hence VERIFIED.