Bug 439097 - memberOf: Delete of all present member values not handled correctly
memberOf: Delete of all present member values not handled correctly
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Server - memberOf Plug-in (Show other bugs)
1.1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Nathan Kinder
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 429034 FDS1.2.0
  Show dependency treegraph
 
Reported: 2008-03-26 18:40 EDT by Nathan Kinder
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:03:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVS Diffs (1.91 KB, patch)
2008-03-28 11:31 EDT, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Nathan Kinder 2008-03-26 18:40:13 EDT
If you delete all member attributes from a group entry, the memberOf attributes
of the members are not updated.

To reproduce:
- Create these two entries:

  dn: cn=group1,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group1

  dn: uid=user1,dc=example,dc=com
  uid: user1
  objectClass: inetorgperson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  objectClass: inetUser
  cn: user
  sn: 1

- Make user1 a member of group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  add: member
  member: uid=user1,dc=example,dc=com

- At this point, the membership attributes should look fine:

  dn: cn=group1,dc=example,dc=com
  member: uid=user1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

- Delete all member attributes from group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  delete: member

- At this point, user1 will still have a memberOf attribute saying that it's in
group1, but it will not be listed as a member in the group1 entry.  The memberOf
attribute should have been removed from user1.

  dn: cn=group1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com
Comment 1 Nathan Kinder 2008-03-26 18:46:31 EDT
Another thing to note is that this only occurs when you delete all member
values.  If you specify the value you want to delete (even if it's the only
value), then it is handled correctly.  For example, this modify works fine in
the above case:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  delete: member
  member: uid=user1,dc=example,dc=com

A replace of all present member attributes with no new value also works fine:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  replace: member
Comment 2 Nathan Kinder 2008-03-28 11:31:27 EDT
Created attachment 299482 [details]
CVS Diffs

The code that deals with modify operations that delete member values was not
properly handling the case where there are no values specified for deletion. 
This code would go through member entries specified in the member values to be
deleted, but nothing would happen since no values were specified.

The code that deals with replace modify operations just compares the
pre-operation copy of the group entry with the post-operation copy to see what
member attributes have been changed.  It can then figure out what member
entries need to be updated.  This approach is what we need to use for the
delete all values case as well.

The fix is to check if we have any values specified when dealing with a delete
modify operation, and if not, just call the replace function.
Comment 3 Nathan Kinder 2008-03-28 17:02:36 EDT
Checked into ldapserver (HEAD).  Thanks to Simo for his review!

Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v  <--  memberof.c
new revision: 1.3; previous revision: 1.2
done
Comment 4 Nathan Kinder 2008-03-28 17:03:18 EDT
Checked into FreeIPA as changeset 744.

changeset:   744:c5834dc6ed37
tag:         tip
user:        Nathan Kinder <nkinder@redhat.com>
date:        Fri Mar 28 08:56:06 2008 -0700
summary:     Fixed handling of modify operations that delete all present member
Comment 6 Chandrasekar Kannan 2009-04-29 19:03:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.