In user plugin, the preserved users can be assigned membership, even though they are not supposed to work with membership information. Moreover, when a membership is assigned to a preserved user and then the user is activated, the membership information persists for the active entry.
Steps to reproduce:
1. create a group and a user
$ ipa group-add tgroup $ ipa user-add tuser --first test --last user
2. delete the user with --preserve option
$ ipa user-del tuser --preserve
3. assign membership to the preserved user
$ ipa group-add-member tgroup --users tuser
Expected result: should not add the user to the group
Actual result: the user is added to the group:
Group name: tgroup GID: 280206353 ------------------------- Number of members added 1 -------------------------
Even though results of group-show and user-show command do not list 'tuser' as a member of 'tgroup', the membership was apparently added:
$ ipa group-show tgroup Group name: tgroup GID: 280206353 $ ipa user-show tuser User login: tuser First name: test Last name: user Home directory: /home/tuser Login shell: /bin/sh Email address: tuser@abc.idm.lab.eng.brq.redhat.com UID: 280206355 GID: 280206355 Account disabled: True Preserved user: True Password: False Kerberos keys available: False
4. activate the preserved entry
$ ipa user-undel tuser
Expected result: user is now active and has only 'ipausers' membership
Actual result: user is active and has 'ipausers' and 'tgroup' membership:
$ ipa user-show tuser User login: tuser First name: test Last name: user Home directory: /home/tuser Login shell: /bin/sh Email address: tuser@abc.idm.lab.eng.brq.redhat.com UID: 280206355 GID: 280206355 Account disabled: False Password: False Member of groups: tgroup, ipausers Kerberos keys available: False $ ipa group-show tgroup Group name: tgroup GID: 280206353 Member users: tuser
Note: The membership added to the preserved entry can also be removed using 'group-remove-member'
This behaviour is really a bug. A preserved (aka deleted) user should not be member of any group because it is no longer in the organization.
This bug should not be too complex to fix. There are two options (may be more), at the CLI level prevent group-add-member to deal with 'preserved' user. A preferred one would be to add 'deleted container' permission/aci to deny update of membership attribute. Now I wonder if the second option will not work as we need to update the user (to remove membership) when the user is preserved (it could work as the update is done by referint/memberof plugins, it worths to test.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1250111
Note that the following commands need to be fixed as well:
master:
ipa-4-2:
Metadata Update from @lryznaro: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.