On Mon, Nov 26, 2012 at 10:42:17PM +0100, Jakub Hrozek wrote:
On Mon, Nov 26, 2012 at 12:00:44AM +0100, Jakub Hrozek wrote:
> The memberof plugin did only expand the ghost users attribute to
> parents when adding a nested group, but didn't implement the reverse
> This bug resulted in users being reported as group members even
> after the direct parent went away as the expanded ghost attributes were
> never removed from the parent entry.
> There seems to be a lot of similarlity between memberuid and ghost
> attributes in the memberof plugin. Maybe the code would benefit from
> soem more generic functions? But given the time contrainst, I would
> prefer the refactoring to happend post-1.9.3.
We had a long discussion on the IRC with Simo. The tl;dr version is that
we should also expire parent groups when deleting their ghost attributes
to make sure that if the deleted attribute was in fact a direct member
of the parent group in addition to being inherited from the nested
group, the direct membership would be updated on the next lookup.
One more iteration. We need to be forgiving on "No such attribute"
errors during delete as the attribute on a parent group might have been
already removed by a modify or delete operation earlier.
This can happen when the ghost was both indirect and direct.