If you create a circular grouping (two groups with each other listed as members), then each group will have itself listed as the value of a memberOf attribute. We don't prevent someone from creating a circular grouping, but we shouldn't list a group as a memberOf itself.
To reproduce: - Create the following two group entries: dn: cn=group1,dc=example,dc=com objectclass: top objectClass: groupOfNames objectClass: inetUser cn: group1 dn: cn=group2,dc=example,dc=com objectclass: top objectClass: groupOfNames objectClass: inetUser cn: group2 - Make group2 a member of group1: dn: cn=group1,dc=example,dc=com changetype: modify add: member member: cn=group2,dc=example,dc=com - Make group1 a member of group2: dn: cn=group2,dc=example,dc=com changetype: modify add: member member: cn=group1,dc=example,dc=com - At this point, both groups will have themselves listed as a member: dn: cn=group1,dc=example,dc=com member: cn=group2,dc=example,dc=com memberof: cn=group1,dc=example,dc=com memberof: cn=group2,dc=example,dc=com dn: cn=group2,dc=example,dc=com member: cn=group1,dc=example,dc=com memberof: cn=group1,dc=example,dc=com memberof: cn=group2,dc=example,dc=com
Created attachment 299521 [details] CVS Diffs When we are done recursing through a nested group, we finally update the group entry itself. Before doing any update to the group entry itself, we should check to see if we're trying to do do an operation on the entry using itself as the value for memberOf. There was a similar check in the code already, but it was only for a fixup operation for add modify operations. This check needs to be performed for all modify operation types earlier in the code.
Checked into ldapserver (HEAD). Thanks to Simo for his review! Checking in memberof.c; /cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v <-- memberof.c new revision: 1.4; previous revision: 1.3 done
Checked into FreeIPA as changeset 745.
qa verified, bug closed build used: 4-4-2008 daily build
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html