[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6970) OpenLDAP 2.4.25 MemberOf + AutoGroup user has stale "memberof" attributes for target group after removal from trigger group

ryan@nardis.ca wrote:
> As I understand it, Gerry's use case is: we have some groups, we want
> an autogroup containing the union of their members, and we want
> memberOf to accurately reflect both the manual and automatic group
> memberships. I think that's a reasonable thing to want; especially
> since the memberOf part is impossible with dynlist.
> Config for these tests: dyngroup schema with groupOfURLs modified to
> allow 'member' as per autogroup README, plus:
> dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
> objectClass: olcMemberOf
> olcMemberOfGroupOC: groupOfURLs
> dn: olcOverlay={2}autogroup,olcDatabase={1}mdb,cn=config
> objectClass: olcAutomaticGroups
> olcAGattrSet: groupOfURLs memberURL member
> On Wed, Jun 4, 2014 at 12:24 PM, Ryan Tandy <ryan@nardis.ca> wrote:
>> Adding a new entry that triggers an autogroup member to be added: I
>> don't get a crash or deadlock, but the new entry doesn't have a
>> memberOf attribute. It looks like the internal Modify adding the
>> member happens before the Add completes, so memberof tries to add
>> memberOf to an entry that doesn't exist yet.
> slapadd:
> dn: cn=autogroup,dc=example,dc=com
> objectClass: groupOfURLs
> memberURL: ldap:///dc=example,dc=com??one?(objectClass=account)
> and then ldapadd:
> dn: uid=user,dc=example,dc=com
> objectClass: account
> uid: user
> The new entry doesn't gain a memberOf attr as expected.

Running slapd with debug output clearly shows that memberOf tried to modify 
the target entry before mdb_add ever added the entry.

The autogroup overlay is completely broken in its design. It is firing off 
side-effects before the main operation completes; doing so is stupid/wrong 
since the main operation may fail for legitimate reasons (e.g. access control 
checks). autogroup should be plugging into the overlay chain from the response 
side, so it only acts after the main operation has already succeeded.

> Minor nitpicks: if you give autogroup's olcAGattrSet exactly two
> arguments, slapadd crashes in ag_cfgen (autogroup.c:1761); and if you
> omit the filter from memberURL, i.e.
> memberURL: ldap:///cn=staticgroup,dc=example,dc=com?member?base?
> then slapd crashes in autogroup_modify_entry (autogroup.c:1381) while
> refreshing memberships. Ideally those would return an error instead of
> segfaulting.
> I'm also wondering, should autogroup/README perhaps recommend
> groupOfNames and labeledURI instead of groupOfURLs and member?

Patches welcome.
> hope this helps,
> Ryan

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/