Description of problem: I have a group "it". When I try to remove it via the command line I get the following message: An exact group match was not found. Found 2 groups (I guess "editors").
It currently uses the same broad search filter that any find group request uses which is far too broad. We need to search where cn=GROUP only. Or provide a list of hits and let the user select which group to delete. Or do both by adding a new option that does an exact-search match but defaults to interactive.
I am wondering why we do search at all ? Is the concern that we might find more than one group with the same name ?
Right. We currently have just one container for groups but in theory could support more, each with the same name. How useful this would be I don't know. I think I'll do the reverse. I'll add a -i/--interactive option for doing list-based removals on dups, otherwise only exact matches will be removed.
additionally, need to confirm that the cn matches the responses. If there were only an editors group and no other "it" groups then ipa-delgroup it would remove editors.
Created attachment 310964 [details] Be more careful when removing groups The group delete XML-RPC function takes the DN as the argument so it is up to the client to provide the right group. This patch runs through the results and explodes the returned DNs looking for an exact match of cn=GROUP_TO_DELETE So even if multiple groups are returned we'll do the right thing.
master: 3f85a011c60ead633a04a239cb7b7c8b82fd7017
Verified, test is below: (runs on both X86_64 & I386 32bit RHEL 5.2) Test 1: result pass ------------------------------------------------------ server64[06/09/08 01:43]~ >ipa-addgroup Group name: it Description: try to confuse server it successfully added server64[06/09/08 01:43]~ >ipa-finduser it No entries found for it server64[06/09/08 01:44]~ >ipa-findgroup it 2 entries were found. Which one would you like to display? 1: it 2: editors Choose one: (1 - 2), 0 for all, q to quit: 1 dn: cn=it,cn=groups,cn=accounts,dc=ipaqa,dc=com GID: 1469 Full Name: it Description: try to confuse server server64[06/09/08 01:44]~ >ipa-delgroup it it successfully deleted Test 2: test with long group name ---------------------------------------------------- Below is a test for long group name, and it works as well. server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others" verylonglonglongnameA verylonglonglongnameA successfully added server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others" verylonglonglongnameB verylonglonglongnameB successfully added server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglong 2 entries were found. Which one would you like to display? 1: verylonglonglongnameA 2: verylonglonglongnameB Choose one: (1 - 2), 0 for all, q to quit: q server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglongnameB dn: cn=verylonglonglongnameB,cn=groups,cn=accounts,dc=ipaqa,dc=com GID: 1511 Full Name: verylonglonglongnameB Description: verylong name try to confuse others server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongnameB verylonglonglongnameB successfully deleted server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongname Group 'verylonglonglongname' not found.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0643.html