On 10/17/25 2:10 AM, William Brown via 389-users wrote:
On 17 Oct 2025, at 00:23, vectinx via 389-users <389-users@lists.fedoraproject.org> wrote:
Apparently, the function `memberof_del_dn_from_groups()` updates the `member` attribute:
/* Deletes a member DN from all groups that refer to it. */
static int
memberof_del_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, Slapi_DN *sdn)
It uses the `memberofgroupattr` configuration parameter from the MemberOf plugin:
memberofgroupattr: member
memberofgroupattr: memberUser
memberofgroupattr: memberHost
memberofgroupattr: ipaOwner
This function is called when deleting entries, including during deferred updates:
https://github.com/389ds/389-ds-base/blob/main/ldap/servers/plugins/memberof/memberof.c#L644
---
Regarding the updates with CSNs `68edda59000000030000` and `68edda59000100030000`:
At first, I also suspected that they were caused by the referential integrity update replication.
However, after excluding the `member` attribute from referential integrity,
the duplicate modify operations still appear on both replicas.
Here's what I did to exclude `member` from the Referential Integrity plugin:
ldapmodify -D "cn=Directory Manager" -W <<EOF
dn: cn=referential integrity postoperation,cn=plugins,cn=config
changetype: modify
delete: referint-membership-attr
referint-membership-attr: member
EOF
Then I deleted the test user, and the result was:
dbid: 68f0fb0d000000040000
operation: delete
dn: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc
dbid: 68f0fb0d000100040000
operation: delete
dn: cn=integrity-fix,cn=groups,cn=accounts,dc=test,dc=loc
dbid: 68f0fb0d000300040000
operation: modify
dn: cn=ipausers,cn=groups,cn=accounts,dc=test,dc=loc
member: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc
modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config
dbid: 68f0fb0e000000030000
operation: modify
dn: cn=ipausers,cn=groups,cn=accounts,dc=test,dc=loc
member: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc
modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config
As you can see, the duplicate `modify` operations on the group are triggered by the MemberOf plugin itself,
even when the Referential Integrity plugin is excluded from handling the `member` attribute.
Seems like an issue where memberOf is trying to duplicate the behaviour of refint. refint should be responsible for cleaning up member attributes that are no longer needed - not memberOf.
I'm not sure why this duplicate behaviour was added - tbordaz, what was the reason behind memberof cleaning up member attributes, not just memberOf?
In fact memberof is acting like refint on DEL/MODRDN. Except to prevent dangling membership over non existing entries (that is refint task), the only justification I can think of is to prevent to use this dangling link membership when computing memberof. But it should not occur as memberof is a postop and when it is called the link is already dangling.
Please open a ticket so we can evaluate the impact of fixing this.
best regards
Thierry
--
Sincerely,
William Brown
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
No comments:
Post a Comment