Bug 438891 - memberOf isn't handled correctly when MODRDN of indirect group is performed
memberOf isn't handled correctly when MODRDN of indirect group is performed
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Server - memberOf Plug-in (Show other bugs)
1.1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Nathan Kinder
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 429034 FDS1.2.0
  Show dependency treegraph
 
Reported: 2008-03-25 16:13 EDT by Nathan Kinder
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:03:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVS Diffs (1.13 KB, patch)
2008-03-26 16:55 EDT, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Nathan Kinder 2008-03-25 16:13:21 EDT
If you do a MODRDN of a group, indirect members memberOf attribute is not
properly updated.

Steps to Reproduce:
- Create these three entries:

  dn: cn=group1,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group1

  dn: group2,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group2
  dn: cn=group2

  dn: uid=user1,dc=example,dc=com
  uid: user1
  objectClass: inetorgperson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  objectClass: inetUser
  cn: user
  sn: 1

- Make group2 a member of group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  add: member
  member: cn=group2,dc=example,dc=com

- Make user1 a member of group2:

  dn: cn=group2,dc=example,dc=com        
  changetype: modify
  add: member
  member: uid=user1,dc=example,dc=com

- At this point, the memberOf attribute should be correct in the three test entries:

  dn: cn=group1,dc=example,dc=com
  member: cn=group2,dc=example,dc=com

  dn: cn=group2,dc=example,dc=com
  member: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

- Rename group1 to groupA:

  dn: cn=group1,dc=example,dc=com
  changetype: modrdn
  newrdn: cn=groupA
  deleteoldrdn: 1

- At this point, the memberOf attribute of group2 is properly updated to use the
renamed group, but the indirect member (user1) is lacking a memberOf attribute
that refers to the renamed group:

  dn: cn=groupA,dc=example,dc=com
  member: cn=group2,dc=example,dc=com

  dn: cn=group2,dc=example,dc=com
  member: uid=user1,dc=example,dc=com
  memberof: cn=groupa,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com
Comment 1 Nathan Kinder 2008-03-26 16:55:03 EDT
Created attachment 299230 [details]
CVS Diffs

When processing a nested group in the case of a MODRDN operation, we'd end up
calling a function to do a replace of the memberOf attribute that always uses
an empty new value to replace it with.	We need to call a different function
that allows us to pass in a new value to use for the replacement for.
Comment 2 Nathan Kinder 2008-03-26 18:26:40 EDT
Checked into ldapserver (HEAD).  Thanks to Simo for his review!

Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v  <--  memberof.c
new revision: 1.2; previous revision: 1.1
done
Comment 3 Rob Crittenden 2008-03-28 14:17:11 EDT
Commited into freeipa as changeset 733
Comment 4 Yi Zhang 2008-04-08 19:20:03 EDT
qa verified, bug closed
build used: 4-8-2008 daily build
Comment 5 Chandrasekar Kannan 2009-04-29 19:03:20 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.