Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453222 - "ipa-delgroup it" gets confused with group "editors"
Summary: "ipa-delgroup it" gets confused with group "editors"
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-admintools
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 453489
TreeView+ depends on / blocked
Reported: 2008-06-27 21:07 UTC by Eric Desgranges
Modified: 2015-01-04 23:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-08-04 18:21:39 UTC

Attachments (Terms of Use)
Be more careful when removing groups (deleted)
2008-07-03 21:11 UTC, Rob Crittenden
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0643 normal SHIPPED_LIVE ipa bug fix update 2008-08-04 18:20:50 UTC

Description Eric Desgranges 2008-06-27 21:07:42 UTC
Description of problem:
I have a group "it". When I try to remove it via the command line I get the
following message:
An exact group match was not found. Found 2 groups (I guess "editors").

Comment 1 Rob Crittenden 2008-06-30 19:06:32 UTC
It currently uses the same broad search filter that any find group request uses
which is far too broad. We need to search where cn=GROUP only.

Or provide a list of hits and let the user select which group to delete.

Or do both by adding a new option that does an exact-search match but defaults
to interactive.

Comment 2 Simo Sorce 2008-06-30 19:33:10 UTC
I am wondering why we do search at all ? Is the concern that we might find more
than one group with the same name ?

Comment 3 Rob Crittenden 2008-06-30 21:30:13 UTC
Right. We currently have just one container for groups but in theory could
support more, each with the same name. How useful this would be I don't know.

I think I'll do the reverse. I'll add a -i/--interactive option for doing
list-based removals on dups, otherwise only exact matches will be removed.

Comment 4 Rob Crittenden 2008-07-03 18:03:44 UTC
additionally, need to confirm that the cn matches the responses.

If there were only an editors group and no other "it" groups then ipa-delgroup
it would remove editors.

Comment 5 Rob Crittenden 2008-07-03 21:11:57 UTC
Created attachment 310964 [details]
Be more careful when removing groups

The group delete XML-RPC function takes the DN as the argument so it is up to
the client to provide the right group.

This patch runs through the results and explodes the returned DNs looking for
an exact match of cn=GROUP_TO_DELETE

So even if multiple groups are returned we'll do the right thing.

Comment 7 Rob Crittenden 2008-07-07 14:28:26 UTC
master: 3f85a011c60ead633a04a239cb7b7c8b82fd7017

Comment 9 Yi Zhang 2008-07-22 23:03:33 UTC
Verified, test is below: (runs on both X86_64 & I386 32bit RHEL 5.2)

Test 1: result pass
server64[06/09/08 01:43]~ >ipa-addgroup 
Group name: it
Description: try to confuse server
it successfully added
server64[06/09/08 01:43]~ >ipa-finduser it
No entries found for it
server64[06/09/08 01:44]~ >ipa-findgroup it
2 entries were found. Which one would you like to display?
1: it
2: editors
Choose one: (1 - 2), 0 for all, q to quit: 1
dn: cn=it,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1469
Full Name: it
Description: try to confuse server

server64[06/09/08 01:44]~ >ipa-delgroup it
it successfully deleted

Test 2: test with long group name
Below is a test for long group name, and it works as well. 
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameA successfully added
server64[06/09/08 02:05]~ >ipa-addgroup -d "verylong name try to confuse others"
verylonglonglongnameB successfully added
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglong
2 entries were found. Which one would you like to display?
1: verylonglonglongnameA
2: verylonglonglongnameB
Choose one: (1 - 2), 0 for all, q to quit: q
server64[06/09/08 02:06]~ >ipa-findgroup verylonglonglongnameB
dn: cn=verylonglonglongnameB,cn=groups,cn=accounts,dc=ipaqa,dc=com
GID: 1511
Full Name: verylonglonglongnameB
Description: verylong name try to confuse others
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongnameB
verylonglonglongnameB successfully deleted
server64[06/09/08 02:06]~ >ipa-delgroup verylonglonglongname
Group 'verylonglonglongname' not found.

Comment 11 errata-xmlrpc 2008-08-04 18:21:39 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.