[Freeipa-devel] [PATCH] Avoid listing a group as a memberOf itself
nkinder at redhat.com
Mon Apr 7 20:36:40 UTC 2008
Geert Jansen wrote:
> Nathan Kinder wrote:
>>> I'm not familiar with the directory server code at all, so forgive
>>> me if this is obvious. Does your patch prevent memberships such as a
>>> -> b -> a?
>> No, it doesn't prevent you from creating any sort of loop with your
>> member attribute values. The memberOf plug-in will detect loops to
>> avoid recursive memberOf values though.
> Should we detect these kinds of loops to protect buggy clients that do
> not expect this? I know the PADL nss_ldap has proper loop detection
> for this but other os's may not.
I thought about adding detection for this sort of thing, but I don't
feel that the negative performance impact is worth the benefit. We
would need to trace through the grouping structure before accepting the
change for all modifications to "member" attributes. Depending on how
complex the groupings are, this will take a bit of time. The client
would have to wait for this check before they get a result back since
it's at the pre-operation stage. Clients would also have to deal with
us rejecting this type of modification, as we'd likely return a
constraint violation error.
The loop will not cause any problems, other than causing you to really
have one big group instead of two (in the a->b->a case at least).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeipa-devel