On Mon, Nov 26, 2012 at 10:42:17PM +0100, Jakub Hrozek wrote:
On Mon, Nov 26, 2012 at 12:00:44AM +0100, Jakub Hrozek wrote:
https://fedorahosted.org/sssd/ticket/1668
The memberof plugin did only expand the ghost users attribute to parents when adding a nested group, but didn't implement the reverse operation.
This bug resulted in users being reported as group members even after the direct parent went away as the expanded ghost attributes were never removed from the parent entry.
There seems to be a lot of similarlity between memberuid and ghost attributes in the memberof plugin. Maybe the code would benefit from soem more generic functions? But given the time contrainst, I would prefer the refactoring to happend post-1.9.3.
We had a long discussion on the IRC with Simo. The tl;dr version is that we should also expire parent groups when deleting their ghost attributes to make sure that if the deleted attribute was in fact a direct member of the parent group in addition to being inherited from the nested group, the direct membership would be updated on the next lookup.
One more iteration. We need to be forgiving on "No such attribute" errors during delete as the attribute on a parent group might have been already removed by a modify or delete operation earlier.
This can happen when the ghost was both indirect and direct.