freeipa

Clone
Source Code
GIT

#1533 Indirect members doesn't appear immediately after enrollment
Closed: Fixed None Opened 12 years ago by edewata.

Closed: Fixed
Reopen Issue

There is a delay between enrolling a group into another group and the time when the members of the first group appear as indirect members of the second group.

Here's the result on a rather slow VM:
- 1 member: immediately
- 250 members: 45 seconds
- 500 members: 2 minute and 45 seconds

This could be a problem for groups with large number of users. It could also be a problem for operations that rely on the accuracy of the indirect member list.

Steps to reproduce:

  1. Verify the parent group is empty:

    % ipa group-show editors
    Group name: editors
    Description: Limited admins who can edit other users
    GID: 93200002

  2. Add a child group:

    % ipa group-add-member editors --groups=ipausers
    Group name: editors
    Description: Limited admins who can edit other users
    GID: 93200002
    Member groups: ipausers

  3. Periodically check the parent group:

    % ipa group-show editors
    Group name: editors
    Description: Limited admins who can edit other users
    GID: 93200002
    Member groups: ipausers

  4. After some time the indirect members will appear:

    % ipa group-show editors
    Group name: editors
    Description: Limited admins who can edit other users
    GID: 93200002
    Member groups: ipausers
    Indirect Member users: tuser, dmontes, sroberson, vmendoza, mvang, arhodes,
    ...

Unfortunately there is nothing we can do to fix this right now. The problem is that memberOf run as a postop plugin in 389-ds which means that it executes after the LDAP data has been returned to the client.

What this means for us is as far as we know everything is done so we return the results we have. In the case of indirect members we have no way of knowing if an indirect membership may occur so have nothing to wait for.

The long term plans for this rely on 389-ds adding a new plugin type, see https://bugzilla.redhat.com/show_bug.cgi?id=683241

Closing as wontfix but it is really cantfix.

Reopening. I think we should document this and set the right expectations that it is a known behavior.

Rename component.

Metadata Update from @edewata:
- Issue assigned to elladeon
- Issue set to the milestone: FreeIPA 2.1.1 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Documentation
None
0
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.