Bug 1034257

Summary: Possible to add non-existent role to user
Product: Red Hat Enterprise Linux 6 Reporter: Ján Rusnačko <jrusnack>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED WONTFIX QA Contact: Sankar Ramalingam <sramling>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: jgalipea, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-18 18:06:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ján Rusnačko 2013-11-25 14:01:59 UTC 
Description of problem:
In current RHEL 6.4 DS it is possible to add user to role which does not exist.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-29.el6.x86_64

How reproducible:
always

Steps to Reproduce:
[jrusnack@dhcp-31-42 workspace]$ ldapmodify -a -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=roles testuser3,ou=people,dc=example,dc=com
objectclass: top
objectclass: person
cn: roles testuser
sn: roles testuser
nsRoleDN: ou=invalid    
EOF

adding new entry "cn=roles testuser3,ou=people,dc=example,dc=com"

[jrusnack@dhcp-31-42 workspace]$ ldapsearch -LLL -D "cn=directory manager" -w Secret123 -b "cn=roles testuser3,ou=people,dc=example,dc=com" nsroleDN 
dn: cn=roles testuser3,ou=People,dc=example,dc=com
nsroleDN: ou=invalid

Actual results:
User entry can be added to non-existing role (i.e. there is no managed role entry ou=invalid).
Comment 2 Nathan Kinder 2013-12-18 18:06:37 UTC 
This is really a RFE, not a bug.  Just like any other grouping mechanism, you can add a reference to a non-existent group/role.  Even referential integrity doesn't check for ADD or MOD operations by design.

I'd prefer to not implement this unless there is a significant customer request behind it.  Closing as WONTFIX.