freeipa

Clone
Source Code
GIT

#2866 sudo: deleting command may bring LDAP to an inconsistant state
Closed: Fixed None Opened 11 years ago by pbrezina.

Closed: Fixed
Reopen Issue

When a command that is currently attached to a rule is deleted, it does not affect this rule. The rule still contains dn of the deleted command.

A lot more detail is needed.

I can look at it and provide more details.

As pbrezine reported, the problem here is that when you delete a SUDO command which is a added as a member to any SUDO rule, the non-existent DN stays on the SUDO rule object:

# ipa sudocmd-add /usr/bin/yum
# ipa sudorule-add foo
# ipa sudorule-add-allow-command foo --sudocmds=/usr/bin/yum

# ipa sudorule-show foo --all --raw
  dn: ipauniqueid=90a37188-c1c3-11e1-a6b0-001a4a104e23,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn: foo
  ipaenabledflag: TRUE
  memberuser: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  ipauniqueid: 90a37188-c1c3-11e1-a6b0-001a4a104e23
>>memberallowcmd: sudocmd=/usr/sbin/yum,cn=sudocmds,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  objectclass: ipaassociation
  objectclass: ipasudorule

Now I delete the SUDO command and show the SUDO rule again:

# ipa sudocmd-del /usr/sbin/yum
# ipa sudorule-show foo --all --raw
  dn: ipauniqueid=90a37188-c1c3-11e1-a6b0-001a4a104e23,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn: foo
  ipaenabledflag: TRUE
  memberuser: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  ipauniqueid: 90a37188-c1c3-11e1-a6b0-001a4a104e23
>>memberallowcmd: sudocmd=/usr/sbin/yum,cn=sudocmds,cn=sudo,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  objectclass: ipaassociation
  objectclass: ipasudorule

memberallowcmd attribute now contains a non-existent DN. There are several ways to fix this:
1. Update sudocmd-del, sudocmdgroup-del commands to either report an error or clean member attributes when they are set in a SUDO rule
2. If possible, update our memberOf plugin to also handle this type of membership attributes

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=837356

Moving ticket to RC2, as RC1 deadline is too close for this ticket to be included.

Note: current plan is to use Referential Integrity Plugin to do the amendment of dangling attributes. It is already used in IPA, we just need to extend the range of checked attributes.

We must create eq,pres indexes for all checked attributes first to prevent performance issues.

Note to myself: there is a relevant issue in DS with index setting: https://fedorahosted.org/389/ticket/453

master:[[br]]
c063095[[br]]
2ecfe57[[br]]
d8ba7d9[[br]]
edf8138[[br]]

ipa-3-0:[[br]]
72ce306[[br]]
3ae2a92[[br]]
87f880b[[br]]
6016ffd[[br]]

Metadata Update from @pbrezina:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.0 RC2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=837356
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.