#4175 MOD command returns duplicate memberships
Closed: Fixed None Opened 10 years ago by mkosek.

permission-mod command returned duplicate memberships:

# ipa permission-show "Manage host keytab"
  Permission name: Manage host keytab
  Permissions: write, add
  Attributes: krbprincipalkey, krblastpwdchange
  Type: host
  Granted to Privilege: Host Administrators, Host Enrollment
  Indirect Member of roles: Build Administrator, IT Specialist
# ipa permission-mod "Manage host keytab" --permissions=write
----------------------------------------
Modified permission "Manage host keytab"
----------------------------------------
  Permission name: Manage host keytab
  Permissions: write
  Attributes: krbprincipalkey, krblastpwdchange
  Type: host
  Granted to Privilege: Host Administrators, Host Enrollment
>>Indirect Member of roles: Build Administrator, IT Specialist, Build Administrator, IT Specialist<<
# ipa permission-show "Manage host keytab"
  Permission name: Manage host keytab
  Permissions: write
  Attributes: krbprincipalkey, krblastpwdchange
  Type: host
  Granted to Privilege: Host Administrators, Host Enrollment
  Indirect Member of roles: Build Administrator, IT Specialist

As you see, this only appears to be an issue with MOD display, not storage in LDAP


Honza, you played with memberships AFAIR, please check if this is more severe than it appears.

Membership processing is OK, the source of this error is somewhere in permission_mod.post_callback.

I get a different error on current master:

$ ipa permission-mod "Manage host keytab" --permissions=read
ipa: ERROR: attribute "memberindirect" not allowed

Petr, did you forget to handle memberindirect in the new permission code by any chance?

This is for version 3.3.4, before the new permission code.

It seems there's a different bug in master; I filed it as https://fedorahosted.org/freeipa/ticket/4178. Thanks for finding it!

Right. The problem is in permission-mod post_callback:

        # all common options to permission-mod and show need to be listed here
        common_options = filter_options(options, ['all', 'raw', 'rights'])
        result = self.api.Command.permission_show(cn, **common_options)['result']

        for r in result:
            if not r.startswith('member_'):
                entry_attrs[r] = result[r]

Previously, permission objects did not contain memberindirect_role so this was not a problem.

ipa-3-3:

  • 2ae2e9b Permission MOD command fix

Moving to 3.3.5 milestone as this patch was only for that branch in the end.

Metadata Update from @mkosek:
- Issue assigned to amisnyov
- Issue set to the milestone: FreeIPA 3.3.5 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata