[Freeipa-devel] Ticket #2866 - referential integrity in IPA
Rob Crittenden
rcritten at redhat.com
Mon Aug 27 20:32:12 UTC 2012
Rich Megginson wrote:
> On 08/27/2012 10:39 AM, John Dennis wrote:
>> Just out of curiosity, I saw something this weekend while testing and
>> I'm wondering if it's expected behavior or if referential integrity
>> would address it.
>>
>> I was able to add a non-existent user to a group. Shouldn't that have
>> been an error? Do we check for that in the ldap pre callback? Do we
>> intend for referential integrity to catch those sorts of things?
>
> No, no, and no.
>
>>
>> Or do we allow non-existent users to be members of group for some reason?
>>
> Yes, but not for some reason, but because it is allowed by LDAP.
IPA is supposed to prevent this, we don't allow non-users to be members
of groups. I'd recommend looking for the LDAP logs of when this add
occurred.
rob
More information about the Freeipa-devel
mailing list