Remove group nesting from the HBAC service groups

ticket 389

3 files changed, 4 insertions, 12 deletions

diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 5e97f13b8..7eb346b02 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -41,7 +41,7 @@ objectClasses: (1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' S
 attributeTypes: (2.16.840.1.113730.3.8.3.17 NAME 'hostCApolicy' DESC 'Policy on how to treat host requests for cert operations.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.9 NAME 'ipaCAaccess' STRUCTURAL MAY (member $ hostCApolicy) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.10 NAME 'ipaHBACService' STRUCTURAL MUST ( cn ) MAY ( description $ memberOf ) X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' SUP groupOfNames STRUCTURAL X-ORIGIN 'IPA v2' )
 attributeTypes: (1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer denoting time to live' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
 attributeTypes: (1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The class of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py
index 682a6c4e6..3bbf660ee 100644
--- a/ipalib/plugins/hbacsvcgroup.py
+++ b/ipalib/plugins/hbacsvcgroup.py
@@ -20,8 +20,7 @@
 HBAC Service Groups
 
 HBAC service groups can contain any number of individual services,
-or "members", and can also contain other service groups. Every group must
-have a description.
+or "members". Every group must have a description.
 
 EXAMPLES:
 
@@ -37,7 +36,6 @@ EXAMPLES:
  Add a new group to the "login" group:
    ipa hbacsvcgroup-add --desc="switch users" suers
    ipa hbacsvcgroup-add-member --hbacsvcs=su,su-l suers
-   ipa hbacsvsgroup-add-member --hbacsvsgroups=suers login
 
  Delete an HBAC services group:
    ipa hbacsvcgroup-del login
@@ -56,14 +54,10 @@ class hbacsvcgroup(LDAPObject):
     object_name = 'hbacsvcgroup'
     object_name_plural = 'hbacsvcgroups'
     object_class = ['ipaobject', 'ipahbacservicegroup']
-    default_attributes = [ 'cn', 'description', 'member', 'memberof',
-        'memberindirect',
-    ]
+    default_attributes = [ 'cn', 'description', 'member' ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
-        'member': ['hbacsvc', 'hbacsvcgroup'],
-        'memberof': ['hbacsvcgroup'],
-        'memberindirect': ['hbacsvc', 'hbacsvcgroup'],
+        'member': ['hbacsvc'],
     }
 
     label = _('HBAC Service Groups')
diff --git a/tests/test_xmlrpc/test_hbacsvcgroup_plugin.py b/tests/test_xmlrpc/test_hbacsvcgroup_plugin.py
index da347f22d..c44779f27 100644
--- a/tests/test_xmlrpc/test_hbacsvcgroup_plugin.py
+++ b/tests/test_xmlrpc/test_hbacsvcgroup_plugin.py
@@ -123,7 +123,6 @@ class test_hbacsvcgroup(Declarative):
                 failed=dict(
                     member=dict(
                         hbacsvc=tuple(),
-                        hbacsvcgroup=tuple(),
                     ),
                 ),
                 result={
@@ -213,7 +212,6 @@ class test_hbacsvcgroup(Declarative):
                 failed=dict(
                     member=dict(
                         hbacsvc=tuple(),
-                        hbacsvcgroup=tuple(),
                     ),
                 ),
                 completed=1,