Bug 453222 - "ipa-delgroup it" gets confused with group "editors"
"ipa-delgroup it" gets confused with group "editors"
Product: freeIPA
Classification: Community
Component: ipa-admintools (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: 453489
  Show dependency treegraph
Reported: 2008-06-27 17:07 EDT by Eric Desgranges
Modified: 2015-01-04 18:33 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-04 14:21:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Be more careful when removing groups (1.33 KB, patch)
2008-07-03 17:11 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Eric Desgranges 2008-06-27 17:07:42 EDT
Description of problem:
I have a group "it". When I try to remove it via the command line I get the
following message:
An exact group match was not found. Found 2 groups (I guess "editors").
Comment 1 Rob Crittenden 2008-06-30 15:06:32 EDT
It currently uses the same broad search filter that any find group request uses
which is far too broad. We need to search where cn=GROUP only.

Or provide a list of hits and let the user select which group to delete.

Or do both by adding a new option that does an exact-search match but defaults
to interactive.
Comment 2 Simo Sorce 2008-06-30 15:33:10 EDT
I am wondering why we do search at all ? Is the concern that we might find more
than one group with the same name ?
Comment 3 Rob Crittenden 2008-06-30 17:30:13 EDT
Right. We currently have just one container for groups but in theory could
support more, each with the same name. How useful this would be I don't know.

I think I'll do the reverse. I'll add a -i/--interactive option for doing
list-based removals on dups, otherwise only exact matches will be removed.
Comment 4 Rob Crittenden 2008-07-03 14:03:44 EDT
additionally, need to confirm that the cn matches the responses.

If there were only an editors group and no other "it" groups then ipa-delgroup
it would remove editors.
Comment 5 Rob Crittenden 2008-07-03 17:11:57 EDT
Created attachment 310964 [details]
Be more careful when removing groups

The group delete XML-RPC function takes the DN as the argument so it is up to
the client to provide the right group.

This patch runs through the results and explodes the returned DNs looking for
an exact match of cn=GROUP_TO_DELETE

So even if multiple groups are returned we'll do the right thing.
Comment 7 Rob Crittenden 2008-07-07 10:28:26 EDT
master: 3f85a011c60ead633a04a239cb7b7c8b82fd7017
Comment 9 Yi Zhang 2008-07-22 19:03:33 EDT
Verified, test is below: (runs on both X86_64 & I386 32bit RHEL 5.2)

Test 1: result pass
server64[06/09/08 01:43]~ >ipa-addgroup 
Group name: it
Description: try to confuse server
it successfully added
server64[06/09/08 01:43]~ >ipa-finduser it
No entries found for it
server64[06/09/08 01:44]~ >ipa-findgroup it
2 entries were found. Which one would you like to display?
1: it
2: editors
Choose one: (1 - 2), 0 for all, q to quit: 1
dn: cn=it,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1469
Full Name: it
Description: try to confuse server

server64[06/09/08 01:44]~ >ipa-delgroup it
it successfully deleted

Test 2: test with long group name
Below is a test for long group name, and it works as well. 
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameA successfully added
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameB successfully added
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglong
2 entries were found. Which one would you like to display?
1: verylonglonglongnameA
2: verylonglonglongnameB
Choose one: (1 - 2), 0 for all, q to quit: q
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglongnameB
dn: cn=verylonglonglongnameB,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1511
Full Name: verylonglonglongnameB
Description: verylong name try to confuse others
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongnameB
verylonglonglongnameB successfully deleted
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongname
Group 'verylonglonglongname' not found.
Comment 11 errata-xmlrpc 2008-08-04 14:21:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.