Description of problem: The memberUser attribute is not removed from an HBAC rule with the member is deleted. This is true for hosts, users, groups etc ... If a new group or user or host is added the same DN, and the rule was to allow, it may not be desired that the new object be allowed. Version-Release number of selected component (if applicable): ipa-server-1.91-0.2010110118git813dfe5.fc12.i686 ipa-admintools-1.91-0.2010110118git813dfe5.fc12.i686 ldapsearches: RULE: # 31ed4602-1dd211b2-9f09d799-3dad0000, hbac, testrelm dn: ipaUniqueID=31ed4602-1dd211b2-9f09d799-3dad0000,cn=hbac,dc=testrelm objectClass: ipaassociation objectClass: ipahbacrule accessRuleType: deny ipaEnabledFlag: TRUE cn: Engineering ipaUniqueID: 31ed4602-1dd211b2-9f09d799-3dad0000 memberUser: uid=eng,cn=users,cn=accounts,dc=testrelm memberUser: cn=mygroup,cn=groups,cn=accounts,dc=testrelm memberHost: fqdn=hosteng.testrelm,cn=computers,cn=accounts,dc=testrelm USER: # search result search: 2 result: 32 No such object matchedDN: cn=users,cn=accounts,dc=testrelm GROUP: # search result search: 2 result: 32 No such object matchedDN: cn=groups,cn=accounts,dc=testrelm HOST: # search result search: 2 result: 32 No such object matchedDN: cn=computers,cn=accounts,dc=testrelm How reproducible: always Steps to Reproduce: Example with user 1. Add a rule # ipa hbac-add --type=allow myrule 2. Add a user # ipa user-add --first=myuser --last=myuser myuser 3. Associate user with Rule # ipa hbac-add-user --users=myuser myrule 4. # Delete the user # ipa user-del myuser 5. Verify memberUser is removed # ipa hbac-show --all myrule # ldapsearch on rule object Actual results: memberUser is not removed from the Rule Expected results: memberUser to be removed Additional info:
This should be resolved when patch in ticket https://fedorahosted.org/freeipa/ticket/110 gets applied.
master: d824eee8fa151751a6a0e6fae9a67abd3c5837f9
verified :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacrule-cli-043: Delete User Associated with a Rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Modify rule Engineering usercat successful. Value: :: [ PASS ] :: Modifying Engineering Rule's User Category :: [ LOG ] :: EXECUTING: ipa hbacrule-add-user --users="dev" Engineering :: [ LOG ] :: "dev" of type users successfully added to Rule Engineering :: [ PASS ] :: Adding user dev to Engineering rule. :: [ LOG ] :: "dev" is associated with rule Engineering :: [ PASS ] :: Verifying user dev is associated with the Engineering rule. :: [ PASS ] :: Deleting User associated with rule. :: [ LOG ] :: WARNING: "dev" is NOT associated with rule Engineering :: [ PASS ] :: Verifying user dev is no longer associated with the Engineering rule. :: [ LOG ] :: Duration: 8s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacrule-cli-043: Delete User Associated with a Rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacrule-cli-044: Delete Group Associated with a Rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: EXECUTING: ipa hbacrule-add-user --groups="dev_ugrp" Engineering :: [ LOG ] :: "dev_ugrp" of type groups successfully added to Rule Engineering :: [ PASS ] :: Adding user group dev_ugrp to Engineering rule. :: [ LOG ] :: "dev_ugrp" is associated with rule Engineering :: [ PASS ] :: Verifying user group dev_ugrp is associated with the Engineering rule. :: [ LOG ] :: Group dev_ugrp deleted successfully. :: [ PASS ] :: Deleting User Group associated with rule. :: [ LOG ] :: WARNING: "dev_ugrp" is NOT associated with rule Engineering :: [ PASS ] :: Verifying user group dev_ugrp is no longer associated with the Engineering rule. :: [ LOG ] :: Duration: 7s :: [ LOG ] :: Assertions: 4 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacrule-cli-044: Delete Group Associated with a Rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacrule-cli-045: Delete Host Associated with a Rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Modify rule Engineering hostcat successful. Value: :: [ PASS ] :: Modifying Engineering Rule's Host Category :: [ LOG ] :: EXECUTING: ipa hbacrule-add-host --hosts="dev_host.testrelm" Engineering :: [ LOG ] :: "dev_host.testrelm" of type hosts successfully added to Rule Engineering :: [ PASS ] :: Adding host dev_host.testrelm to Engineering rule. :: [ LOG ] :: "dev_host.testrelm" is associated with rule Engineering :: [ PASS ] :: Verifying host dev_host.testrelm is associated with the Engineering rule. :: [ LOG ] :: Host dev_host.testrelm deleted successfully. :: [ PASS ] :: Deleting Host associated with rule. :: [ LOG ] :: WARNING: "dev_host.testrelm" is NOT associated with rule Engineering :: [ PASS ] :: Verifying host dev_host.testrelm is no longer associated with the Engineering rule. :: [ LOG ] :: Duration: 8s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacrule-cli-045: Delete Host Associated with a Rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacrule-cli-046: Delete Host Group Associated with a Rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Modify rule Engineering srchostcat successful. Value: :: [ PASS ] :: Modifying Engineering Rule's Source Host Category :: [ LOG ] :: EXECUTING: ipa hbacrule-add-host --hostgroups="dev_hosts" Engineering :: [ LOG ] :: "dev_hosts" of type hostgroups successfully added to Rule Engineering :: [ PASS ] :: Adding host group dev_hosts to Engineering rule. :: [ LOG ] :: "dev_hosts" is associated with rule Engineering :: [ PASS ] :: Verifying host group dev_hosts is associated with the Engineering rule. :: [ LOG ] :: Host group dev_hosts deleted successfully. :: [ PASS ] :: Deleting Host Group associated with rule. :: [ LOG ] :: WARNING: "dev_hosts" is NOT associated with rule Engineering :: [ PASS ] :: Verifying host group dev_hosts is no longer associated with the Engineering rule. :: [ LOG ] :: HBAC rule Engineering deleted successfully. :: [ PASS ] :: CLEANUP: Deleting Rule :: [ LOG ] :: Duration: 9s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacrule-cli-046: Delete Host Group Associated with a Rule # rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.0.0 Vendor: Red Hat, Inc. Release : 23.el6 Build Date: Wed 20 Apr 2011 09:57:13 AM EDT Install Date: Thu 19 May 2011 12:47:52 PM EDT Build Host: x86-003.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.0.0-23.el6.src.rpm Size : 2565882 License: GPLv3+ Signature : RSA/8, Thu 21 Apr 2011 03:48:25 PM EDT, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server