Bug 453222 - "ipa-delgroup it" gets confused with group "editors"
Summary: "ipa-delgroup it" gets confused with group "editors"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-admintools
Version: 1.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 453489
TreeView+ depends on / blocked
 
Reported: 2008-06-27 21:07 UTC by Eric Desgranges
Modified: 2015-01-04 23:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-04 18:21:39 UTC
Embargoed:


Attachments (Terms of Use)
Be more careful when removing groups (1.33 KB, patch)
2008-07-03 21:11 UTC, Rob Crittenden
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0643 0 normal SHIPPED_LIVE ipa bug fix update 2008-08-04 18:20:50 UTC

Description Eric Desgranges 2008-06-27 21:07:42 UTC
Description of problem:
I have a group "it". When I try to remove it via the command line I get the
following message:
An exact group match was not found. Found 2 groups (I guess "editors").

Comment 1 Rob Crittenden 2008-06-30 19:06:32 UTC
It currently uses the same broad search filter that any find group request uses
which is far too broad. We need to search where cn=GROUP only.

Or provide a list of hits and let the user select which group to delete.

Or do both by adding a new option that does an exact-search match but defaults
to interactive.

Comment 2 Simo Sorce 2008-06-30 19:33:10 UTC
I am wondering why we do search at all ? Is the concern that we might find more
than one group with the same name ?

Comment 3 Rob Crittenden 2008-06-30 21:30:13 UTC
Right. We currently have just one container for groups but in theory could
support more, each with the same name. How useful this would be I don't know.

I think I'll do the reverse. I'll add a -i/--interactive option for doing
list-based removals on dups, otherwise only exact matches will be removed.

Comment 4 Rob Crittenden 2008-07-03 18:03:44 UTC
additionally, need to confirm that the cn matches the responses.

If there were only an editors group and no other "it" groups then ipa-delgroup
it would remove editors.

Comment 5 Rob Crittenden 2008-07-03 21:11:57 UTC
Created attachment 310964 [details]
Be more careful when removing groups

The group delete XML-RPC function takes the DN as the argument so it is up to
the client to provide the right group.

This patch runs through the results and explodes the returned DNs looking for
an exact match of cn=GROUP_TO_DELETE

So even if multiple groups are returned we'll do the right thing.

Comment 7 Rob Crittenden 2008-07-07 14:28:26 UTC
master: 3f85a011c60ead633a04a239cb7b7c8b82fd7017

Comment 9 Yi Zhang 2008-07-22 23:03:33 UTC
Verified, test is below: (runs on both X86_64 & I386 32bit RHEL 5.2)

Test 1: result pass
------------------------------------------------------
server64[06/09/08 01:43]~ >ipa-addgroup 
Group name: it
Description: try to confuse server
it successfully added
server64[06/09/08 01:43]~ >ipa-finduser it
No entries found for it
server64[06/09/08 01:44]~ >ipa-findgroup it
2 entries were found. Which one would you like to display?
1: it
2: editors
Choose one: (1 - 2), 0 for all, q to quit: 1
dn: cn=it,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1469
Full Name: it
Description: try to confuse server

server64[06/09/08 01:44]~ >ipa-delgroup it
it successfully deleted


Test 2: test with long group name
----------------------------------------------------
Below is a test for long group name, and it works as well. 
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameA
verylonglonglongnameA successfully added
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameB
verylonglonglongnameB successfully added
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglong
2 entries were found. Which one would you like to display?
1: verylonglonglongnameA
2: verylonglonglongnameB
Choose one: (1 - 2), 0 for all, q to quit: q
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglongnameB
dn: cn=verylonglonglongnameB,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1511
Full Name: verylonglonglongnameB
Description: verylong name try to confuse others
 
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongnameB
verylonglonglongnameB successfully deleted
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongname
Group 'verylonglonglongname' not found.


Comment 11 errata-xmlrpc 2008-08-04 18:21:39 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html


Note You need to log in before you can comment on or make changes to this bug.