[Freeipa-devel] [PATCH] Handle circular groupings in memberOf plug-in

Rob Crittenden rcritten at redhat.com
Fri Feb 15 00:52:15 UTC 2008 

Nathan Kinder wrote:
> There were a couple of issues that caused circular groupings to crash in 
> the
> memberOf plug-in.
> 
> The first issue was caused by improper checking during a fix-up operation.
> When a change in membership for a group needs to be processed, the
> memberOf plug-in starts processing "member" values, tracing through nested
> groups as needed to update all subordinate members.  Once it finds a 
> subordinate
> member, it updates it's "memberOf" attribute, then it performs a 
> "fix-up" operation.
> This fix-up operation looks for any other groups in your database that 
> have the
> group whose membership is being modified as a member.  It's essentially 
> looking
> for parent groups.  This fix-up operation was always being performed, 
> but there
> are a few cases where we do not want to do it.  These cases are when the 
> updating
> of the "memberOf" value failed as well as when we just added a 
> "memberOf" value to ourselves.
> 
> The other problem was revealed after fixing the first issue.  The memberOf
> plug-in uses a linked list to keep track of groups we've seen when 
> traversing
> through groups to update membership.  We were always adding the group being
> directly modified in the web interface when we should have been adding the
> nested groups to this list.  This caused us to not be able to detect 
> indirect loops.
> 
> With the changes made in the patch, I'm able to do the following tests 
> without
> crashing ns-slapd (all of which would have caused crashes before my fix, 
> or were
> masked by the first part of the fix):
> 
> 1 - Create a group with itself as a member.
> 2 - Create two groups with each other as members.
> 3 - Create a group like test 1, then create a new group with the first 
> group as
>    a member.
> 4 - Create three groups that are nested (1->2->3), then add the first 
> group as a
>    member of the third group.
> 
> -NGK
> 


Ack and push
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080214/83ff76d3/attachment.bin>

More information about the Freeipa-devel mailing list