Bug 438891 - memberOf isn't handled correctly when MODRDN of indirect group is performed
Summary: memberOf isn't handled correctly when MODRDN of indirect group is performed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Server - memberOf Plug-in
Version: 1.1.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 249650 429034 FDS1.2.0
TreeView+ depends on / blocked
 
Reported: 2008-03-25 20:13 UTC by Nathan Kinder
Modified: 2015-01-04 23:31 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-29 23:03:20 UTC


Attachments (Terms of Use)
CVS Diffs (1.13 KB, patch)
2008-03-26 20:55 UTC, Nathan Kinder
no flags Details | Diff

Description Nathan Kinder 2008-03-25 20:13:21 UTC
If you do a MODRDN of a group, indirect members memberOf attribute is not
properly updated.

Steps to Reproduce:
- Create these three entries:

  dn: cn=group1,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group1

  dn: group2,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group2
  dn: cn=group2

  dn: uid=user1,dc=example,dc=com
  uid: user1
  objectClass: inetorgperson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  objectClass: inetUser
  cn: user
  sn: 1

- Make group2 a member of group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  add: member
  member: cn=group2,dc=example,dc=com

- Make user1 a member of group2:

  dn: cn=group2,dc=example,dc=com        
  changetype: modify
  add: member
  member: uid=user1,dc=example,dc=com

- At this point, the memberOf attribute should be correct in the three test entries:

  dn: cn=group1,dc=example,dc=com
  member: cn=group2,dc=example,dc=com

  dn: cn=group2,dc=example,dc=com
  member: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

- Rename group1 to groupA:

  dn: cn=group1,dc=example,dc=com
  changetype: modrdn
  newrdn: cn=groupA
  deleteoldrdn: 1

- At this point, the memberOf attribute of group2 is properly updated to use the
renamed group, but the indirect member (user1) is lacking a memberOf attribute
that refers to the renamed group:

  dn: cn=groupA,dc=example,dc=com
  member: cn=group2,dc=example,dc=com

  dn: cn=group2,dc=example,dc=com
  member: uid=user1,dc=example,dc=com
  memberof: cn=groupa,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com

Comment 1 Nathan Kinder 2008-03-26 20:55:03 UTC
Created attachment 299230 [details]
CVS Diffs

When processing a nested group in the case of a MODRDN operation, we'd end up
calling a function to do a replace of the memberOf attribute that always uses
an empty new value to replace it with.	We need to call a different function
that allows us to pass in a new value to use for the replacement for.

Comment 2 Nathan Kinder 2008-03-26 22:26:40 UTC
Checked into ldapserver (HEAD).  Thanks to Simo for his review!

Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v  <--  memberof.c
new revision: 1.2; previous revision: 1.1
done

Comment 3 Rob Crittenden 2008-03-28 18:17:11 UTC
Commited into freeipa as changeset 733

Comment 4 Yi Zhang 2008-04-08 23:20:03 UTC
qa verified, bug closed
build used: 4-8-2008 daily build


Comment 5 Chandrasekar Kannan 2009-04-29 23:03:20 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html


Note You need to log in before you can comment on or make changes to this bug.