freeipa

Clone
Source Code
GIT

#5170 User lifecycle - preserved users can be assigned membership
Closed: Fixed None Opened 8 years ago by lryznaro.

Closed: Fixed
Reopen Issue

In user plugin, the preserved users can be assigned membership, even though they are not supposed to work with membership information. Moreover, when a membership is assigned to a preserved user and then the user is activated, the membership information persists for the active entry.

Steps to reproduce:

1. create a group and a user

$ ipa group-add tgroup
$ ipa user-add tuser --first test --last user

2. delete the user with --preserve option

$ ipa user-del tuser --preserve

3. assign membership to the preserved user

$ ipa group-add-member tgroup --users tuser

Expected result: should not add the user to the group

Actual result: the user is added to the group:

  Group name: tgroup
  GID: 280206353
-------------------------
Number of members added 1
-------------------------

Even though results of group-show and user-show command do not list 'tuser' as a member of 'tgroup', the membership was apparently added:

$ ipa group-show tgroup
  Group name: tgroup
  GID: 280206353

$ ipa user-show tuser
  User login: tuser
  First name: test
  Last name: user
  Home directory: /home/tuser
  Login shell: /bin/sh
  Email address: tuser@abc.idm.lab.eng.brq.redhat.com
  UID: 280206355
  GID: 280206355
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False

4. activate the preserved entry

$ ipa user-undel tuser

Expected result: user is now active and has only 'ipausers' membership

Actual result: user is active and has 'ipausers' and 'tgroup' membership:

$ ipa user-show tuser
  User login: tuser
  First name: test
  Last name: user
  Home directory: /home/tuser
  Login shell: /bin/sh
  Email address: tuser@abc.idm.lab.eng.brq.redhat.com
  UID: 280206355
  GID: 280206355
  Account disabled: False
  Password: False
  Member of groups: tgroup, ipausers
  Kerberos keys available: False

$ ipa group-show tgroup
  Group name: tgroup
  GID: 280206353
  Member users: tuser

Note: The membership added to the preserved entry can also be removed using 'group-remove-member'

This behaviour is really a bug. A preserved (aka deleted) user should not be member of any group because it is no longer in the organization.

This bug should not be too complex to fix. There are two options (may be more), at the CLI level prevent group-add-member to deal with 'preserved' user. A preferred one would be to add 'deleted container' permission/aci to deny update of membership attribute. Now I wonder if the second option will not work as we need to update the user (to remove membership) when the user is preserved (it could work as the update is done by referint/memberof plugins, it worths to test.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1250111

Note that the following commands need to be fixed as well:

  • automember_rebuild
  • caacl_add_user
  • hbac_add_user
  • host_allow_create_keytab
  • host_allow_retrieve_keytab
  • netgroup_add_member
  • otptoken_add_managedby
  • role_add_member
  • selinuxusermap_add_user
  • service_allow_create_keytab
  • service_allow_retrieve_keytab
  • sudorule_add_runasuser
  • sudorule_add_user
  • vault_add_member
  • vault_add_owner

master:

  • 391ccab ULC: Prevent preserved users from being assigned membership

ipa-4-2:

  • cd81727 ULC: Prevent preserved users from being assigned membership

Metadata Update from @lryznaro:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
1
None
None
dkupka
None
https://bugzilla.redhat.com/show_bug.cgi?id=1250111
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.