[Freeipa-devel] multi-valued cn in groups and memberOf?

Pete Rowley prowley at redhat.com
Wed Nov 14 21:09:39 UTC 2007 

Rob Crittenden wrote:
> Pete Rowley wrote:
>> Rob Crittenden wrote:
>>> Pete.
>>>
>>> If we have a group with a multi-valued CN how does memberOf deal 
>>> with that?
>>>
>>> Does it create a separate memberOf for each one? Or does it use only 
>>> the "first" CN, whatever that means?
>>>
>>> So if I have cn=doctors,cn=quacks,cn=groups,...
>>>
>>> And a member: uid=spock,cn=accounts,...
>>>
>>> If I do a memberOf what will I get back? That spock is a member of 
>>> doctors, or quacks or both?
>>>
>>> This has implications on doing RDN changes. If we drop a CN I need 
>>> to know what to expect when it comes to group membership. The 
>>> uniquemembers field will be the same, of course, but what about 
>>> memberOf?
>> memberof uses the dn, it doesn't care about anything else. If you 
>> drop a cn that is part of the rdn then a) you have performed a mod dn 
>> op, and b) the referential integrity plugin will take care of the 
>> change in  uniquemember and c) the memberof plugin will take care of 
>> it in memberof.
>>
>
> Hmm. So does this mean we shouldn't allow multi-valued groups then?
>
> I can see someone thinking they can use multiple cns as group aliases 
> which won't work.
Why not? A cn doesn't have to be in the dn for it to be the name (or 
alias) of the group. What might cause problems is that we implicitly 
rely upon dn uniqueness to enforce cn uniqueness - multiple cn's breaks 
that and would require us to enable the attribute uniqueness plugin to 
enforce uniqueness, which we cannot really do because it fails in an mmr 
scenario. Single cn is probably better from that point of view, but we 
can't enforce that in the DS (unless we write some plugin code).

I would say, single cn in groups from the ui for now and make a note for 
the future that we need either a) an enhanced mmr attribute uniqueness 
plugin, or b) to further constrain the attribute to single value with an 
enforcement plugin. a) is a lot harder than b) but b) is likely to annoy 
some people.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071114/3cf7b61d/attachment.bin>

More information about the Freeipa-devel mailing list