Bug 439097 - memberOf: Delete of all present member values not handled correctly
Summary: memberOf: Delete of all present member values not handled correctly
Alias: None
Product: 389
Classification: Retired
Component: Server - memberOf Plug-in
Version: 1.1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 249650 429034 FDS1.2.0
TreeView+ depends on / blocked
Reported: 2008-03-26 22:40 UTC by Nathan Kinder
Modified: 2015-01-04 23:31 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-04-29 23:03:24 UTC

Attachments (Terms of Use)
CVS Diffs (1.91 KB, patch)
2008-03-28 15:31 UTC, Nathan Kinder
no flags Details | Diff

Description Nathan Kinder 2008-03-26 22:40:13 UTC
If you delete all member attributes from a group entry, the memberOf attributes
of the members are not updated.

To reproduce:
- Create these two entries:

  dn: cn=group1,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group1

  dn: uid=user1,dc=example,dc=com
  uid: user1
  objectClass: inetorgperson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  objectClass: inetUser
  cn: user
  sn: 1

- Make user1 a member of group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  add: member
  member: uid=user1,dc=example,dc=com

- At this point, the membership attributes should look fine:

  dn: cn=group1,dc=example,dc=com
  member: uid=user1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

- Delete all member attributes from group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  delete: member

- At this point, user1 will still have a memberOf attribute saying that it's in
group1, but it will not be listed as a member in the group1 entry.  The memberOf
attribute should have been removed from user1.

  dn: cn=group1,dc=example,dc=com

  dn: uid=user1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com

Comment 1 Nathan Kinder 2008-03-26 22:46:31 UTC
Another thing to note is that this only occurs when you delete all member
values.  If you specify the value you want to delete (even if it's the only
value), then it is handled correctly.  For example, this modify works fine in
the above case:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  delete: member
  member: uid=user1,dc=example,dc=com

A replace of all present member attributes with no new value also works fine:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  replace: member

Comment 2 Nathan Kinder 2008-03-28 15:31:27 UTC
Created attachment 299482 [details]
CVS Diffs

The code that deals with modify operations that delete member values was not
properly handling the case where there are no values specified for deletion. 
This code would go through member entries specified in the member values to be
deleted, but nothing would happen since no values were specified.

The code that deals with replace modify operations just compares the
pre-operation copy of the group entry with the post-operation copy to see what
member attributes have been changed.  It can then figure out what member
entries need to be updated.  This approach is what we need to use for the
delete all values case as well.

The fix is to check if we have any values specified when dealing with a delete
modify operation, and if not, just call the replace function.

Comment 3 Nathan Kinder 2008-03-28 21:02:36 UTC
Checked into ldapserver (HEAD).  Thanks to Simo for his review!

Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v  <--  memberof.c
new revision: 1.3; previous revision: 1.2

Comment 4 Nathan Kinder 2008-03-28 21:03:18 UTC
Checked into FreeIPA as changeset 744.

changeset:   744:c5834dc6ed37
tag:         tip
user:        Nathan Kinder <nkinder@redhat.com>
date:        Fri Mar 28 08:56:06 2008 -0700
summary:     Fixed handling of modify operations that delete all present member

Comment 6 Chandrasekar Kannan 2009-04-29 23:03:24 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.