| Summary: | role-add --setattr bypasses account validation | ||
|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | Yi Zhang <yzhang> |
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.0 | CC: | benl, dpal, jgalipea, jhrozek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-01-27 18:32:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I'm not inclined to spend a lot of time on this to be honest. With great power comes great responsibility, so if users want to use setattr to manage membership I think the onus is on them to get it right. I agree with Rob. This is FAD. Please close. This is the right behavior. Per mutual agreement we are closing the issue. |
Description of problem: the command: ipa role-add-member <rolename> --users=<some user> will check the existence of user account. However, if we use ipa role-add <role-name> --desc=test --setattr=member=<some user> syntax, it will bypass account validation. The next test passed which should not [yi@dhcp-137 ipa-delegation]$ ipa role-add testRole001 --desc=test --setattr=member=uid=NoSuchUser13082,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com ------------------------ Added role "testrole001" ------------------------ Role name: testrole001 Description: test Member users: NoSuchUser13082 === there are account validation in role-add-member command === [yi@dhcp-137 ipa-delegation]$ ipa role-add-member testRole001 --users=NoSuchUser13082 Role name: testrole001 Description: test Member users: NoSuchUser13082 Failed members: user: NoSuchUser13082: no such entry ------------------------- Number of members added 0 ------------------------- ======== account "NoSuchUser13082" does not exist ========= [yi@dhcp-137 ipa-delegation]$ ipa user-find NoSuchUser13082 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- Version-Release number of selected component (if applicable):ipa-server-2.0-0.2011011115gitc778919.fc14.i686 How reproducible: always