Red Hat Bugzilla – Bug 435152
Renaming users/groups may lead to problems with ACIs
Last modified: 2015-01-04 18:30:59 EST
Description of problem:
If you rename a user or an entry used in an ACI, the ACI itself is not updated,
therefore said user or group will fall out of the ACI scope.
Confirmed that the referential integrity plug-in doesn't handle this case.
We don't have per-user's ACIs so this will only affect groups. I'll need to run
through all delegations when an RDN change happens and fix any groups that have
We need a plugin to do that, or changes done via ldap directly will break stuff :/
Nathan, Rich. What sort of scope are we looking at for either writing a new
plugin for this or extending the existing referrential integrity plugin?
Could someone elaborate on the necessary checks/workarounds for this? I'm
adding it to the 1.0 beta Release Notes.
Is it just a case of updating any ACIs if you rename groups, do you need to edit
or recreate Delegations, both?
You should just need to update the delegation(s).
(In reply to comment #5)
> You should just need to update the delegation(s).
Now in 1.0 beta Release Notes
cloned as DS bug 445769
Destined for Adminstrator's Guide.
Added to Caution in Admin Guide in section on Editing Groups.
The following warning exists in the Administrator Guide:
Do not change the Group Name or GID unless absolutely necessary, because it can have unexpected effects on permissions, ACIs, and other aspects of IPA functionality.
If you rename a group used in an ACI, the ACI itself is not updated, the result being that the group will fall out of the ACI scope. To avoid this issue, ensure that any changes to group names are reflected in IPA Delegations. Red Hat Enterprise IPA does not currently support per-user ACIs, so this issue only affects groups.