Managed netgroups should be invisible, but currently it appears in IPA command results.
Steps to reproduce:[[BR]] 1. Create a host group:[[BR]]
ipa hostgroup-add testhostgroup[[BR]]
This will create a managed netgroup with the same name.[[BR]]
Search netgroups:[[BR]]
ipa netgroup-find[[BR]]
Add a host into the host group:[[BR]]
ipa hostgroup-add-member testhostgroup --hosts=test.example.com[[BR]]
View host details:[[BR]]
ipa host-show test.example.com[[BR]]
Actual result: - In step #2 the managed netgroup appears the search results. - In step #4 the managed netgroup appears in the "Member of netgroups" list.
Expected result: - The managed netgroup should not appear in any of IPA command results.
See also ticket #543.
Yes this needs to be fixed as speced. Propose a blocker
attachment freeipa-jraquino-0017-Managed-netgroups-should-be-invisible.patch
Patch attached to address the filtering of netgroup results.
Item 4 will be addressed in ticket 966 which calls for a new attribute type: indirectmemberOf to represent inherited membership in a group. https://fedorahosted.org/freeipa/ticket/963
I installed the patch and re-run the test described in the original bug description. Some comments:
The patch changes the API, so in order to build correctly the API.txt needs to be updated by running the makeapi script.
The patch does fix the issue with step #2 in the original bug description. The managed netgroups no longer appear in netgroup-find.
Just out of curiosity, I tried adding a netgroup with the same name as the hostgroup. I expected it to conflict with the managed netgroup, but it actually worked. Searching the directory will return 2 netgroups with the same name:
% ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "dc=ipa" "(&(cn=testhostgroup)(objectClass=nisNetgroup))"
dn: cn=testhostgroup,cn=ng,cn=compat,dc=ipa[[BR]] objectClass: nisNetgroup[[BR]] objectClass: top[[BR]] cn: testhostgroup[[BR]]
dn: cn=testhostgroup,cn=ng,cn=compat,dc=ipa[[BR]] objectClass: nisNetgroup[[BR]] objectClass: top[[BR]] nisNetgroupTriple: (test.example.com,-,idm.lab.bos.redhat.com)[[BR]] cn: testhostgroup[[BR]]
Deleting the duplicate netgroup will fail:
% ipa netgroup-del testhostgroup[[BR]] ipa: ERROR: Server is unwilling to perform: Deleting a managed entry is not allowed. It needs to be manually unlinked first.
The issue in step #1 (netgroup-find) and item #1 (API.txt) have been fixed in the following patch:[[BR]] - master: d781dbd
Fix for the duplicate netgroup issue:
master: 27532f5
Metadata Update from @edewata: - Issue assigned to jraquino - Issue set to the milestone: FreeIPA 2.0.2 RC2 (bug fixing)
Login to comment on this ticket.