If you do a MODRDN of a group, indirect members memberOf attribute is not properly updated. Steps to Reproduce: - Create these three entries: dn: cn=group1,dc=example,dc=com objectclass: top objectClass: groupOfNames objectClass: inetUser cn: group1 dn: group2,dc=example,dc=com objectclass: top objectClass: groupOfNames objectClass: inetUser cn: group2 dn: cn=group2 dn: uid=user1,dc=example,dc=com uid: user1 objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetUser cn: user sn: 1 - Make group2 a member of group1: dn: cn=group1,dc=example,dc=com changetype: modify add: member member: cn=group2,dc=example,dc=com - Make user1 a member of group2: dn: cn=group2,dc=example,dc=com changetype: modify add: member member: uid=user1,dc=example,dc=com - At this point, the memberOf attribute should be correct in the three test entries: dn: cn=group1,dc=example,dc=com member: cn=group2,dc=example,dc=com dn: cn=group2,dc=example,dc=com member: uid=user1,dc=example,dc=com memberof: cn=group1,dc=example,dc=com dn: uid=user1,dc=example,dc=com memberof: cn=group2,dc=example,dc=com memberof: cn=group1,dc=example,dc=com - Rename group1 to groupA: dn: cn=group1,dc=example,dc=com changetype: modrdn newrdn: cn=groupA deleteoldrdn: 1 - At this point, the memberOf attribute of group2 is properly updated to use the renamed group, but the indirect member (user1) is lacking a memberOf attribute that refers to the renamed group: dn: cn=groupA,dc=example,dc=com member: cn=group2,dc=example,dc=com dn: cn=group2,dc=example,dc=com member: uid=user1,dc=example,dc=com memberof: cn=groupa,dc=example,dc=com dn: uid=user1,dc=example,dc=com memberof: cn=group2,dc=example,dc=com
Created attachment 299230 [details] CVS Diffs When processing a nested group in the case of a MODRDN operation, we'd end up calling a function to do a replace of the memberOf attribute that always uses an empty new value to replace it with. We need to call a different function that allows us to pass in a new value to use for the replacement for.
Checked into ldapserver (HEAD). Thanks to Simo for his review! Checking in memberof.c; /cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v <-- memberof.c new revision: 1.2; previous revision: 1.1 done
Commited into freeipa as changeset 733
qa verified, bug closed build used: 4-8-2008 daily build
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html