[Freeipa-devel] [PATCH] Avoid listing a group as a memberOf itself

Simo Sorce ssorce at redhat.com
Mon Apr 7 20:37:10 UTC 2008

On Mon, 2008-04-07 at 22:27 +0200, Geert Jansen wrote:
> Nathan Kinder wrote:
> >>
> >> I'm not familiar with the directory server code at all, so forgive me 
> >> if this is obvious. Does your patch prevent memberships such as a -> 
> >> b -> a?
> > No, it doesn't prevent you from creating any sort of loop with your 
> > member attribute values.  The memberOf plug-in will detect loops to 
> > avoid recursive memberOf values though.
> Should we detect these kinds of loops to protect buggy clients that do 
> not expect this? I know the PADL nss_ldap has proper loop detection for 
> this but other os's may not.

Maybe in the CLI utilities, but for v1 I think this will just be a
recommended best practice.

I do not expect group nesting to be used much anyway until v2 as some
client may not support it at all. (and yes we probably need to document


Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list