[Freeipa-devel] [PATCH] Handle circular groupings in memberOf plug-in
Rob Crittenden
rcritten at redhat.com
Fri Feb 15 00:52:15 UTC 2008
Nathan Kinder wrote:
> There were a couple of issues that caused circular groupings to crash in
> the
> memberOf plug-in.
>
> The first issue was caused by improper checking during a fix-up operation.
> When a change in membership for a group needs to be processed, the
> memberOf plug-in starts processing "member" values, tracing through nested
> groups as needed to update all subordinate members. Once it finds a
> subordinate
> member, it updates it's "memberOf" attribute, then it performs a
> "fix-up" operation.
> This fix-up operation looks for any other groups in your database that
> have the
> group whose membership is being modified as a member. It's essentially
> looking
> for parent groups. This fix-up operation was always being performed,
> but there
> are a few cases where we do not want to do it. These cases are when the
> updating
> of the "memberOf" value failed as well as when we just added a
> "memberOf" value to ourselves.
>
> The other problem was revealed after fixing the first issue. The memberOf
> plug-in uses a linked list to keep track of groups we've seen when
> traversing
> through groups to update membership. We were always adding the group being
> directly modified in the web interface when we should have been adding the
> nested groups to this list. This caused us to not be able to detect
> indirect loops.
>
> With the changes made in the patch, I'm able to do the following tests
> without
> crashing ns-slapd (all of which would have caused crashes before my fix,
> or were
> masked by the first part of the fix):
>
> 1 - Create a group with itself as a member.
> 2 - Create two groups with each other as members.
> 3 - Create a group like test 1, then create a new group with the first
> group as
> a member.
> 4 - Create three groups that are nested (1->2->3), then add the first
> group as a
> member of the third group.
>
> -NGK
>
Ack and push
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080214/83ff76d3/attachment.bin>
More information about the Freeipa-devel
mailing list