Bug 667412

Summary: ipa host-mod --setattr on cn should not be allowed
Product: [Retired] freeIPA Reporter: Jenny Severance <jgalipea>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 2.0CC: benl, dpal, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:13:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2011-01-05 14:53:23 UTC 
Description of problem:
ipa host-mod --setattr on cn is successful, but should be denied.

Version-Release number of selected component (if applicable):
ipa-server-1.91-0.2010113023git20b1e0a.fc13.i686
ipa-admintools-1.91-0.2010113023git20b1e0a.fc13.i686

How reproducible:
always

Steps to Reproduce:
1. add a new host
   ipa host-add mytest.testrelm
2. modify the hosts cn using --setattr
   ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm
3. ipa host-show --all mytest.testrelm
  
Actual results:
modifying cn is successful

# ipa host-show --all mytest.testrelm

  dn: fqdn=mytest.testrelm,cn=computers,cn=accounts,dc=testrelm
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Keytab: False
  Managed by: mytest.testrelm
  cn: mytest2.testrelm
  ipauniqueid: 95a1d49c-18d5-11e0-bbc2-000c29a992d9
  objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top
  serverhostname: mytest


Expected results:
ipa: ERROR: attribute cn not allowed

Additional info:
Comment 1 Dmitri Pal 2011-01-05 16:29:05 UTC 
Similarly to https://bugzilla.redhat.com/show_bug.cgi?id=667410 - this is not a valid use case. CN is not a part of host entry so the cn attribute can be added and modified if administrator wants to. There is nothing in the system that would require these operations to be treated as illegal.
Comment 2 Dmitri Pal 2011-01-05 18:28:09 UTC 
https://fedorahosted.org/freeipa/ticket/707

After some discussion we agreed that the ticket is valid.
Comment 3 Rob Crittenden 2011-02-17 03:21:16 UTC 
master: 86fe47b87df4e503e9d1d4c6cf6be62b5cbab685
Comment 4 Jenny Severance 2011-03-01 20:22:49 UTC 
Verified

version:
ipa-server-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64
ipa-admintools-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-32: Negative - setattr and addattr on cn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

----------------------------
Added host "mytest.testrelm"
----------------------------
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Managed by: mytest.testrelm
:: [15:20:14] ::  Adding new host mytest.testrelm successful with force option.
:: [15:20:14] ::  Executing: ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:17] ::  "ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm" failed as expected.
:: [15:20:20] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [15:20:21] ::  Executing: ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:24] ::  "ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm" failed as expected.
:: [15:20:27] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --addattr.