[Freeipa-devel] multi-valued cn in groups and memberOf?
Pete Rowley
prowley at redhat.com
Wed Nov 14 21:09:39 UTC 2007
Rob Crittenden wrote:
> Pete Rowley wrote:
>> Rob Crittenden wrote:
>>> Pete.
>>>
>>> If we have a group with a multi-valued CN how does memberOf deal
>>> with that?
>>>
>>> Does it create a separate memberOf for each one? Or does it use only
>>> the "first" CN, whatever that means?
>>>
>>> So if I have cn=doctors,cn=quacks,cn=groups,...
>>>
>>> And a member: uid=spock,cn=accounts,...
>>>
>>> If I do a memberOf what will I get back? That spock is a member of
>>> doctors, or quacks or both?
>>>
>>> This has implications on doing RDN changes. If we drop a CN I need
>>> to know what to expect when it comes to group membership. The
>>> uniquemembers field will be the same, of course, but what about
>>> memberOf?
>> memberof uses the dn, it doesn't care about anything else. If you
>> drop a cn that is part of the rdn then a) you have performed a mod dn
>> op, and b) the referential integrity plugin will take care of the
>> change in uniquemember and c) the memberof plugin will take care of
>> it in memberof.
>>
>
> Hmm. So does this mean we shouldn't allow multi-valued groups then?
>
> I can see someone thinking they can use multiple cns as group aliases
> which won't work.
Why not? A cn doesn't have to be in the dn for it to be the name (or
alias) of the group. What might cause problems is that we implicitly
rely upon dn uniqueness to enforce cn uniqueness - multiple cn's breaks
that and would require us to enable the attribute uniqueness plugin to
enforce uniqueness, which we cannot really do because it fails in an mmr
scenario. Single cn is probably better from that point of view, but we
can't enforce that in the DS (unless we write some plugin code).
I would say, single cn in groups from the ui for now and make a note for
the future that we need either a) an enhanced mmr attribute uniqueness
plugin, or b) to further constrain the attribute to single value with an
enforcement plugin. a) is a lot harder than b) but b) is likely to annoy
some people.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071114/3cf7b61d/attachment.bin>
More information about the Freeipa-devel
mailing list