[Freeipa-devel] [PATCH] Handle circular groupings in memberOf plug-in

Nathan Kinder nkinder at redhat.com
Fri Feb 15 00:29:02 UTC 2008 

There were a couple of issues that caused circular groupings to crash in the
memberOf plug-in.

The first issue was caused by improper checking during a fix-up operation.
When a change in membership for a group needs to be processed, the
memberOf plug-in starts processing "member" values, tracing through nested
groups as needed to update all subordinate members.  Once it finds a 
subordinate
member, it updates it's "memberOf" attribute, then it performs a 
"fix-up" operation.
This fix-up operation looks for any other groups in your database that 
have the
group whose membership is being modified as a member.  It's essentially 
looking
for parent groups.  This fix-up operation was always being performed, 
but there
are a few cases where we do not want to do it.  These cases are when the 
updating
of the "memberOf" value failed as well as when we just added a 
"memberOf" value to ourselves.

The other problem was revealed after fixing the first issue.  The memberOf
plug-in uses a linked list to keep track of groups we've seen when 
traversing
through groups to update membership.  We were always adding the group being
directly modified in the web interface when we should have been adding the
nested groups to this list.  This caused us to not be able to detect 
indirect loops.

With the changes made in the patch, I'm able to do the following tests 
without
crashing ns-slapd (all of which would have caused crashes before my fix, 
or were
masked by the first part of the fix):

1 - Create a group with itself as a member.
2 - Create two groups with each other as members.
3 - Create a group like test 1, then create a new group with the first 
group as
    a member.
4 - Create three groups that are nested (1->2->3), then add the first 
group as a
    member of the third group.

-NGK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-636-memberofcrash.patch
Type: text/x-patch
Size: 2182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080214/c6dd23ed/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080214/c6dd23ed/attachment-0001.bin>

More information about the Freeipa-devel mailing list