[Freeipa-devel] [PATCH] Avoid listing a group as a memberOf itself
ssorce at redhat.com
Mon Apr 7 20:37:10 UTC 2008
On Mon, 2008-04-07 at 22:27 +0200, Geert Jansen wrote:
> Nathan Kinder wrote:
> >> I'm not familiar with the directory server code at all, so forgive me
> >> if this is obvious. Does your patch prevent memberships such as a ->
> >> b -> a?
> > No, it doesn't prevent you from creating any sort of loop with your
> > member attribute values. The memberOf plug-in will detect loops to
> > avoid recursive memberOf values though.
> Should we detect these kinds of loops to protect buggy clients that do
> not expect this? I know the PADL nss_ldap has proper loop detection for
> this but other os's may not.
Maybe in the CLI utilities, but for v1 I think this will just be a
recommended best practice.
I do not expect group nesting to be used much anyway until v2 as some
client may not support it at all. (and yes we probably need to document
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel