Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 438891

Summary: memberOf isn't handled correctly when MODRDN of indirect group is performed
Product: [Retired] 389 Reporter: Nathan Kinder <nkinder>
Component: Server - memberOf Plug-inAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.1.0CC: andrey.ivanov, benl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 23:03:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 249650, 429034, 493682    
Attachments:
Description Flags
CVS Diffs none

Description Nathan Kinder 2008-03-25 20:13:21 UTC 
If you do a MODRDN of a group, indirect members memberOf attribute is not
properly updated.

Steps to Reproduce:
- Create these three entries:

  dn: cn=group1,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group1

  dn: group2,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group2
  dn: cn=group2

  dn: uid=user1,dc=example,dc=com
  uid: user1
  objectClass: inetorgperson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  objectClass: inetUser
  cn: user
  sn: 1

- Make group2 a member of group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  add: member
  member: cn=group2,dc=example,dc=com

- Make user1 a member of group2:

  dn: cn=group2,dc=example,dc=com        
  changetype: modify
  add: member
  member: uid=user1,dc=example,dc=com

- At this point, the memberOf attribute should be correct in the three test entries:

  dn: cn=group1,dc=example,dc=com
  member: cn=group2,dc=example,dc=com

  dn: cn=group2,dc=example,dc=com
  member: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

- Rename group1 to groupA:

  dn: cn=group1,dc=example,dc=com
  changetype: modrdn
  newrdn: cn=groupA
  deleteoldrdn: 1

- At this point, the memberOf attribute of group2 is properly updated to use the
renamed group, but the indirect member (user1) is lacking a memberOf attribute
that refers to the renamed group:

  dn: cn=groupA,dc=example,dc=com
  member: cn=group2,dc=example,dc=com

  dn: cn=group2,dc=example,dc=com
  member: uid=user1,dc=example,dc=com
  memberof: cn=groupa,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com
Comment 1 Nathan Kinder 2008-03-26 20:55:03 UTC 
Created attachment 299230 [details]
CVS Diffs

When processing a nested group in the case of a MODRDN operation, we'd end up
calling a function to do a replace of the memberOf attribute that always uses
an empty new value to replace it with.	We need to call a different function
that allows us to pass in a new value to use for the replacement for.
Comment 2 Nathan Kinder 2008-03-26 22:26:40 UTC 
Checked into ldapserver (HEAD).  Thanks to Simo for his review!

Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v  <--  memberof.c
new revision: 1.2; previous revision: 1.1
done
Comment 3 Rob Crittenden 2008-03-28 18:17:11 UTC 
Commited into freeipa as changeset 733
Comment 4 Yi Zhang 2008-04-08 23:20:03 UTC 
qa verified, bug closed
build used: 4-8-2008 daily build
Comment 5 Chandrasekar Kannan 2009-04-29 23:03:20 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html