freeipa

Clone
Source Code
GIT

#963 Managed netgroups should be invisible
Closed: Fixed None Opened 13 years ago by edewata.

Closed: Fixed
Reopen Issue

Managed netgroups should be invisible, but currently it appears in IPA command results.

Steps to reproduce:[[BR]]
1. Create a host group:[[BR]]

 ipa hostgroup-add testhostgroup[[BR]]

This will create a managed netgroup with the same name.[[BR]]

  1. Search netgroups:[[BR]]

    ipa netgroup-find[[BR]]

  2. Add a host into the host group:[[BR]]

    ipa hostgroup-add-member testhostgroup --hosts=test.example.com[[BR]]

  3. View host details:[[BR]]

    ipa host-show test.example.com[[BR]]

Actual result:
- In step #2 the managed netgroup appears the search results.
- In step #4 the managed netgroup appears in the "Member of netgroups" list.

Expected result:
- The managed netgroup should not appear in any of IPA command results.

See also ticket #543.

Yes this needs to be fixed as speced. Propose a blocker

Patch attached to address the filtering of netgroup results.

Item 4 will be addressed in ticket 966 which calls for a new attribute type: indirectmemberOf to represent inherited membership in a group.
https://fedorahosted.org/freeipa/ticket/963

I installed the patch and re-run the test described in the original bug description. Some comments:

  1. The patch changes the API, so in order to build correctly the API.txt needs to be updated by running the makeapi script.

  2. The patch does fix the issue with step #2 in the original bug description. The managed netgroups no longer appear in netgroup-find.

  3. Just out of curiosity, I tried adding a netgroup with the same name as the hostgroup. I expected it to conflict with the managed netgroup, but it actually worked. Searching the directory will return 2 netgroups with the same name:

% ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "dc=ipa" "(&(cn=testhostgroup)(objectClass=nisNetgroup))"

dn: cn=testhostgroup,cn=ng,cn=compat,dc=ipa[[BR]]
objectClass: nisNetgroup[[BR]]
objectClass: top[[BR]]
cn: testhostgroup[[BR]]

dn: cn=testhostgroup,cn=ng,cn=compat,dc=ipa[[BR]]
objectClass: nisNetgroup[[BR]]
objectClass: top[[BR]]
nisNetgroupTriple: (test.example.com,-,idm.lab.bos.redhat.com)[[BR]]
cn: testhostgroup[[BR]]

Deleting the duplicate netgroup will fail:

% ipa netgroup-del testhostgroup[[BR]]
ipa: ERROR: Server is unwilling to perform: Deleting a managed entry is not allowed.
It needs to be manually unlinked first.

The issue in step #1 (netgroup-find) and item #1 (API.txt) have been fixed in the following patch:[[BR]]
- master: d781dbd

Fix for the duplicate netgroup issue:

master: 27532f5

Metadata Update from @edewata:
- Issue assigned to jraquino
- Issue set to the milestone: FreeIPA 2.0.2 RC2 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.