On Tue, Nov 27, 2012 at 05:56:03PM +0100, Jakub Hrozek wrote:
On Mon, Nov 26, 2012 at 10:42:17PM +0100, Jakub Hrozek wrote:
> On Mon, Nov 26, 2012 at 12:00:44AM +0100, Jakub Hrozek wrote:
> >
https://fedorahosted.org/sssd/ticket/1668
> >
> > The memberof plugin did only expand the ghost users attribute to
> > parents when adding a nested group, but didn't implement the reverse
> > operation.
> >
> > This bug resulted in users being reported as group members even
> > after the direct parent went away as the expanded ghost attributes were
> > never removed from the parent entry.
> >
> > There seems to be a lot of similarlity between memberuid and ghost
> > attributes in the memberof plugin. Maybe the code would benefit from
> > soem more generic functions? But given the time contrainst, I would
> > prefer the refactoring to happend post-1.9.3.
>
> We had a long discussion on the IRC with Simo. The tl;dr version is that
> we should also expire parent groups when deleting their ghost attributes
> to make sure that if the deleted attribute was in fact a direct member
> of the parent group in addition to being inherited from the nested
> group, the direct membership would be updated on the next lookup.
One more iteration. We need to be forgiving on "No such attribute"
errors during delete as the attribute on a parent group might have been
already removed by a modify or delete operation earlier.
This can happen when the ghost was both indirect and direct.
This patch has been included in (and superseded by) the thread called:
"[PATCH] Ghost user related fixes to the memberof plugin"
in order to make the dependencies between patches easier to resolve.