If you delete all member attributes from a group entry, the memberOf attributes
of the members are not updated.
- Create these two entries:
- Make user1 a member of group1:
- At this point, the membership attributes should look fine:
- Delete all member attributes from group1:
- At this point, user1 will still have a memberOf attribute saying that it's in
group1, but it will not be listed as a member in the group1 entry. The memberOf
attribute should have been removed from user1.
Another thing to note is that this only occurs when you delete all member
values. If you specify the value you want to delete (even if it's the only
value), then it is handled correctly. For example, this modify works fine in
the above case:
A replace of all present member attributes with no new value also works fine:
Created attachment 299482 [details]
The code that deals with modify operations that delete member values was not
properly handling the case where there are no values specified for deletion.
This code would go through member entries specified in the member values to be
deleted, but nothing would happen since no values were specified.
The code that deals with replace modify operations just compares the
pre-operation copy of the group entry with the post-operation copy to see what
member attributes have been changed. It can then figure out what member
entries need to be updated. This approach is what we need to use for the
delete all values case as well.
The fix is to check if we have any values specified when dealing with a delete
modify operation, and if not, just call the replace function.
Checked into ldapserver (HEAD). Thanks to Simo for his review!
Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v <-- memberof.c
new revision: 1.3; previous revision: 1.2
Checked into FreeIPA as changeset 744.
user: Nathan Kinder <email@example.com>
date: Fri Mar 28 08:56:06 2008 -0700
summary: Fixed handling of modify operations that delete all present member
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.