Bug 667410

Summary: ipa host-mod --addattr on cn should not be allowed
Product: [Retired] freeIPA Reporter: Jenny Severance <jgalipea>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 2.0CC: benl, dpal, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:16:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2011-01-05 14:45:07 UTC 
Description of problem:

Adding additional host's CN is successful with ipa host-mod --addattr and should not be allowed. 


Version-Release number of selected component (if applicable):

ipa-server-1.91-0.2010113023git20b1e0a.fc13.i686
ipa-admintools-1.91-0.2010113023git20b1e0a.fc13.i686

How reproducible:
always

Steps to Reproduce:
1. add a new host
   ipa host-add mytest.testrelm
2. add an additional cn
   ipa host-mod --addattr cn=mytest2.testrelm mytest.testrelm
3. ipa host-show --all mytestrelm
  
Actual results:
adding additional cn is successful

# ipa host-show --all mytest.testrelm

  dn: fqdn=mytest.testrelm,cn=computers,cn=accounts,dc=testrelm
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Keytab: False
  Managed by: mytest.testrelm
  cn: mytest.testrelm, mytest2.testrelm
  ipauniqueid: 95a1d49c-18d5-11e0-bbc2-000c29a992d9
  objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top
  serverhostname: mytest

Expected results:

ipa: ERROR: cn: Only one value allowed.

Additional info:
Comment 1 Dmitri Pal 2011-01-05 16:26:45 UTC 
I do not think this is a valid test case. cn is not a part of the host object so adding cn attribute should be allowed.I think this is functions as designed.
Comment 2 Jenny Severance 2011-01-05 18:13:21 UTC 
Then the CLI and UI should deny the operation with a valid error message ... like ... ipa: ERROR: attribute cn not allowed
Comment 3 Dmitri Pal 2011-01-05 18:26:46 UTC 
https://fedorahosted.org/freeipa/ticket/706
Comment 4 Rob Crittenden 2011-02-17 03:20:30 UTC 
master: 86fe47b87df4e503e9d1d4c6cf6be62b5cbab685
Comment 5 Jenny Severance 2011-03-01 20:23:13 UTC 
Verified

version:
ipa-server-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64
ipa-admintools-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-32: Negative - setattr and addattr on cn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

----------------------------
Added host "mytest.testrelm"
----------------------------
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Managed by: mytest.testrelm
:: [15:20:14] ::  Adding new host mytest.testrelm successful with force option.
:: [15:20:14] ::  Executing: ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:17] ::  "ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm" failed as expected.
:: [15:20:20] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [15:20:21] ::  Executing: ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:24] ::  "ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm" failed as expected.
:: [15:20:27] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --addattr.