If you delete all member attributes from a group entry, the memberOf attributes of the members are not updated. To reproduce: - Create these two entries: dn: cn=group1,dc=example,dc=com objectclass: top objectClass: groupOfNames objectClass: inetUser cn: group1 dn: uid=user1,dc=example,dc=com uid: user1 objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetUser cn: user sn: 1 - Make user1 a member of group1: dn: cn=group1,dc=example,dc=com changetype: modify add: member member: uid=user1,dc=example,dc=com - At this point, the membership attributes should look fine: dn: cn=group1,dc=example,dc=com member: uid=user1,dc=example,dc=com dn: uid=user1,dc=example,dc=com memberof: cn=group1,dc=example,dc=com - Delete all member attributes from group1: dn: cn=group1,dc=example,dc=com changetype: modify delete: member - At this point, user1 will still have a memberOf attribute saying that it's in group1, but it will not be listed as a member in the group1 entry. The memberOf attribute should have been removed from user1. dn: cn=group1,dc=example,dc=com dn: uid=user1,dc=example,dc=com memberof: cn=group1,dc=example,dc=com
Another thing to note is that this only occurs when you delete all member values. If you specify the value you want to delete (even if it's the only value), then it is handled correctly. For example, this modify works fine in the above case: dn: cn=group1,dc=example,dc=com changetype: modify delete: member member: uid=user1,dc=example,dc=com A replace of all present member attributes with no new value also works fine: dn: cn=group1,dc=example,dc=com changetype: modify replace: member
Created attachment 299482 [details] CVS Diffs The code that deals with modify operations that delete member values was not properly handling the case where there are no values specified for deletion. This code would go through member entries specified in the member values to be deleted, but nothing would happen since no values were specified. The code that deals with replace modify operations just compares the pre-operation copy of the group entry with the post-operation copy to see what member attributes have been changed. It can then figure out what member entries need to be updated. This approach is what we need to use for the delete all values case as well. The fix is to check if we have any values specified when dealing with a delete modify operation, and if not, just call the replace function.
Checked into ldapserver (HEAD). Thanks to Simo for his review! Checking in memberof.c; /cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v <-- memberof.c new revision: 1.3; previous revision: 1.2 done
Checked into FreeIPA as changeset 744. changeset: 744:c5834dc6ed37 tag: tip user: Nathan Kinder <nkinder> date: Fri Mar 28 08:56:06 2008 -0700 summary: Fixed handling of modify operations that delete all present member
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html