Bug 435152 - Renaming users/groups may lead to problems with ACIs
Renaming users/groups may lead to problems with ACIs
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
All Linux
high Severity low
: ---
: ---
Assigned To: David O'Brien
Chandrasekar Kannan
: Documentation
Depends On:
Blocks: 453489
  Show dependency treegraph
Reported: 2008-02-27 12:17 EST by Simo Sorce
Modified: 2015-01-04 18:30 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-11 22:37:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Simo Sorce 2008-02-27 12:17:08 EST
Description of problem:

If you rename a user or an entry used in an ACI, the ACI itself is not updated,
therefore said user or group will fall out of the ACI scope.
Comment 1 Rob Crittenden 2008-03-05 14:03:41 EST
Confirmed that the referential integrity plug-in doesn't handle this case.

We don't have per-user's ACIs so this will only affect groups. I'll need to run
through all delegations when an RDN change happens and fix any groups that have
Comment 2 Simo Sorce 2008-03-05 14:19:00 EST
We need a plugin to do that, or changes done via ldap directly will break stuff :/
Comment 3 Rob Crittenden 2008-03-05 14:28:05 EST
Nathan, Rich. What sort of scope are we looking at for either writing a new
plugin for this or extending the existing referrential integrity plugin?
Comment 4 David O'Brien 2008-04-15 21:41:52 EDT
Could someone elaborate on the necessary checks/workarounds for this?  I'm
adding it to the 1.0 beta Release Notes.

Is it just a case of updating any ACIs if you rename groups, do you need to edit
or recreate Delegations, both?

Comment 5 Rob Crittenden 2008-04-16 15:23:36 EDT
You should just need to update the delegation(s).
Comment 6 David O'Brien 2008-04-16 22:37:31 EDT
(In reply to comment #5)
> You should just need to update the delegation(s).

Now in 1.0 beta Release Notes
Comment 7 Chandrasekar Kannan 2008-05-08 19:55:36 EDT
cloned as DS bug 445769
Comment 8 David O'Brien 2008-05-16 07:15:46 EDT
Destined for Adminstrator's Guide.
Comment 9 David O'Brien 2008-07-17 01:03:32 EDT
Added to Caution in Admin Guide in section on Editing Groups.
Comment 10 Jenny Galipeau 2008-11-25 13:39:29 EST
Fix Verified:

The following warning exists in the Administrator Guide:


Do not change the Group Name or GID unless absolutely necessary, because it can have unexpected effects on permissions, ACIs, and other aspects of IPA functionality.

If you rename a group used in an ACI, the ACI itself is not updated, the result being that the group will fall out of the ACI scope. To avoid this issue, ensure that any changes to group names are reflected in IPA Delegations. Red Hat Enterprise IPA does not currently support per-user ACIs, so this issue only affects groups.

Note You need to log in before you can comment on or make changes to this bug.