[Freeipa-devel] MemberOf and Referential Integrity plugin failures cause abort of operation

Rich Megginson rmeggins at redhat.com
Tue Sep 15 13:18:50 UTC 2015 

On 09/15/2015 04:58 AM, Jan Cholasta wrote:
> On 15.9.2015 10:23, Tomas Babej wrote:
>> Hi,
>>
>> from DS 1.3.3, the memberOf and referential integrity plugins have been
>> converted to backend transaction plugins, which means that failures in
>> these plugins will propagate and cause abort of the operation that
>> triggered them. [1]
>>
>> I.e. in case of memberOf plugin, if a operation triggered an addition of
>> memberOf attribute, and that addition failed, the operation itself did
>> succeed in spite of this failure. This is no longer the case.

IMO the new transacted behavior is correct - the original operation and 
all of the triggered operations should succeed or fail together.

>>
>> We have been already hit by this issue in winsync agreement setup:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1262315
>>
>> However, there is little special about this case and there might be
>> multiple such entries in IPA which are added as group members,
>> but do not contain an objectclass which allows memberOf attribute.
>>
>> So we need to step back and think - are there any other entries where
>> this change of behaviour will hit us?
>
> As far as ipalib is concerned, these are the objects which may have 
> the memberOf attribute (with object class providing it in parentheses):
>
>     group (netstedGroup)
>     hbacsvc (ipaHBACService)
>     host (ipaHost)
>     hostgroup (netstedGroup)
>     netgroup (ipaNISNetgroup)
>     privilege (nestedGroup)
>     role (nestedGroup)
>     service (ipaService)
>     sudocmd (NONE)
>     user (inetUser)
>
> so memberOf needs to be added to ipaSudoCmd.
>
> The config plugin lists memberOf as an operational attribute, which I 
> guess is no longer the case?

It should never have been an operational attribute.  Perhaps this was a 
"hack" to workaround the fact that there were objects/objectclasses 
missing memberOf?

>
> Also, memberOf is excluded from replication in 
> ipaserver/install/replication.py.
>
By design - all servers are expected to have the same memberOf plugin 
configuration, and add memberOf locally.

More information about the Freeipa-devel mailing list