When a command that is currently attached to a rule is deleted, it does not affect this rule. The rule still contains dn of the deleted command.
A lot more detail is needed.
I can look at it and provide more details.
As pbrezine reported, the problem here is that when you delete a SUDO command which is a added as a member to any SUDO rule, the non-existent DN stays on the SUDO rule object:
# ipa sudocmd-add /usr/bin/yum # ipa sudorule-add foo # ipa sudorule-add-allow-command foo --sudocmds=/usr/bin/yum # ipa sudorule-show foo --all --raw dn: ipauniqueid=90a37188-c1c3-11e1-a6b0-001a4a104e23,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: foo ipaenabledflag: TRUE memberuser: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com ipauniqueid: 90a37188-c1c3-11e1-a6b0-001a4a104e23 >>memberallowcmd: sudocmd=/usr/sbin/yum,cn=sudocmds,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: ipaassociation objectclass: ipasudorule
Now I delete the SUDO command and show the SUDO rule again:
# ipa sudocmd-del /usr/sbin/yum # ipa sudorule-show foo --all --raw dn: ipauniqueid=90a37188-c1c3-11e1-a6b0-001a4a104e23,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: foo ipaenabledflag: TRUE memberuser: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com ipauniqueid: 90a37188-c1c3-11e1-a6b0-001a4a104e23 >>memberallowcmd: sudocmd=/usr/sbin/yum,cn=sudocmds,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: ipaassociation objectclass: ipasudorule
memberallowcmd attribute now contains a non-existent DN. There are several ways to fix this: 1. Update sudocmd-del, sudocmdgroup-del commands to either report an error or clean member attributes when they are set in a SUDO rule 2. If possible, update our memberOf plugin to also handle this type of membership attributes
sudocmd-del
sudocmdgroup-del
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=837356
Moving ticket to RC2, as RC1 deadline is too close for this ticket to be included.
Note: current plan is to use Referential Integrity Plugin to do the amendment of dangling attributes. It is already used in IPA, we just need to extend the range of checked attributes.
We must create eq,pres indexes for all checked attributes first to prevent performance issues.
eq,pres
Note to myself: there is a relevant issue in DS with index setting: https://fedorahosted.org/389/ticket/453
master:[[br]] c063095[[br]] 2ecfe57[[br]] d8ba7d9[[br]] edf8138[[br]]
ipa-3-0:[[br]] 72ce306[[br]] 3ae2a92[[br]] 87f880b[[br]] 6016ffd[[br]]
Metadata Update from @pbrezina: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 RC2
Login to comment on this ticket.