389-ds-base

Clone
Source Code
GIT

#48985 Add schema for nested groups to operate in straight ds
Closed: wontfix 5 years ago Opened 5 years ago by firstyear.

Closed: wontfix
Reopen Issue

When memberOf nesting was added, it was added for the ipa use case. However, trying to use this in pure ds results in 

ldap_modify: Object class violation (65)
Error at: cn=some_entitlement,dc=example,dc=com

This is because given a set of groups and users like:

dn: uid=user,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: inetUser
uid: user
memberOf: cn=some_company,dc=example,dc=com

dn: cn=some_company,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: some_company
member: uid=user,dc=example,dc=com

dn: cn=some_entitlement,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: some_entitlement

Attempting to add "member" to some_entitlement of cn=some_company, memberOf is not valid on groupOfNames. The only types in the base schema that allow this are inetUser and inetAdmin: Neither of which really match here.

In order to allow nested groups in a straight 389-ds install, we need something which allows MemberOf on those objects. I think we should add a schema objectClass such as:

objectClasses: ( OID NAME 'nsNestedGroup' DESC 'Allow group nesting in ns-slapd' SUP top AUXILIARY MAY ( memberOf ) X-ORIGIN '389 Directory Server Project' )

Metadata Update from @tbordaz:
- Issue set to the milestone: 1.3.6 backlog
5 years ago

Metadata Update from @firstyear:
- Issue assigned to firstyear
5 years ago

Sure, we could use it like that. I guess if we rename it to say nsMemberOf, then it could apply to users and groups automatically.

Metadata Update from @firstyear:
- Issue close_status updated to: None
5 years ago

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review
5 years ago

Indentation issue again, otherwise ack

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to ack (was: review)
5 years ago

commit 0c1d8f16c4f6c45dd83b3f2ecd4221b40ed8ada3
To ssh://git@pagure.io/389-ds-base.git
0804c43..620d037 master -> master

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2044

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
major
ack
None
Community
Attachments 1
0001-Ticket-48985-Add-schema-for-nested-groups-to-...
Attached 5 years ago View Comment
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.