[Freeipa-devel] [PATCH] Avoid listing a group as a memberOf itself

Nathan Kinder nkinder at redhat.com
Mon Apr 7 20:36:40 UTC 2008

Geert Jansen wrote:
> Nathan Kinder wrote:
>>> I'm not familiar with the directory server code at all, so forgive 
>>> me if this is obvious. Does your patch prevent memberships such as a 
>>> -> b -> a?
>> No, it doesn't prevent you from creating any sort of loop with your 
>> member attribute values.  The memberOf plug-in will detect loops to 
>> avoid recursive memberOf values though.
> Should we detect these kinds of loops to protect buggy clients that do 
> not expect this? I know the PADL nss_ldap has proper loop detection 
> for this but other os's may not.
I thought about adding detection for this sort of thing, but I don't 
feel that the negative performance impact is worth the benefit.  We 
would need to trace through the grouping structure before accepting the 
change for all modifications to "member" attributes.  Depending on how 
complex the groupings are, this will take a bit of time.  The client 
would have to wait for this check before they get a result back since 
it's at the pre-operation stage.  Clients would also have to deal with 
us rejecting this type of modification, as we'd likely return a 
constraint violation error.

The loop will not cause any problems, other than causing you to really 
have one big group instead of two (in the a->b->a case at least).

> Geert

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080407/cd613ac9/attachment.bin>

More information about the Freeipa-devel mailing list