[Freeipa-devel] [PATCH] 798 Fix indirect member calculation

[Rob Crittenden]

Endi Sukma Dewata wrote:
> On 6/13/2011 6:00 PM, Rob Crittenden wrote:
>> Endi Sukma Dewata wrote:
>>> On 6/13/2011 2:45 PM, Rob Crittenden wrote:
>>>> Indirect membership is calculated by looking at each member and pulling
>>>> all the memberof out of it. What was missing was doing nested searches
>>>> on any members in that member group.
>>>>
>>>> So if group2 was a member of group1 and group3 was a member of
>>>> group2 we
>>>> would miss group3 as being an indirect member of group1.
>>>>
>>>> I updated the nesting test to do deeper nested testing. I confirmed
>>>> that
>>>> this test failed with the old code and works with the new.
>>>>
>>>> ticket https://fedorahosted.org/freeipa/ticket/1273
>>>
>>> NACK. If a user is an indirect member of a group via 2 different paths,
>>> the user will be listed twice. Here is a test scenario:
>>>
>>> Group 1 has 2 members: group 2 and group 3.
>>> User X is a member of both group 2 and group 3.
>>> Group 1's indirect members should only list the user X once. Currently
>>> it is listed twice.
>>
>> Patch and test case updated.
>
> NACK. If there's a circular membership the code will run into an
> infinite loop. Here's a test scenario:
>
> Group 1 has 2 members: group 2 and group 3.
> Group 2 is a member of group 3.
> Group 3 is a member of group 2.
> Run ipa group-show on group 1, the command doesn't return until it's
> killed.
>

I think the solution will be to deny creating circular groups.

rob