Bug 741957

Summary: [ipa webui] Config - Default user objectclasses allows invalid setting, which prevents adding new users
Product: Red Hat Enterprise Linux 7 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED NOTABUG QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: dpal, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 760383 (view as bug list) Environment:
Last Closed: 2015-01-16 11:50:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 756082, 760383    

Description Namita Soman 2011-09-28 15:28:46 UTC 
Description of problem:
In the IPA Server - Configuration tab, User Option section, Default user objectclasses allows deleting and adding objectclasses which then prevents one from adding new users

For example, if ipaobject is deleted, then when adding a new user, it throws error attribute "ipaUniqueID" not allowed. 

So do not allow the listed objectclasses to be deleted...only new ones should be allowed to be added.

When adding new ones, there is no check to see if it is a valid objectclass. Else it throws error when adding a new user

When adding a valid new objectclass, for example mailGroup, it still throws error when adding a new user, indicating - missing attribute "mail" required by object class "mailGroup". This can be worked around in cli by using --setattr=mail="one", and user can be added...but this option is not available in UI

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.In the configuration tab - Delete ipaobject from the list of Default user objectclasses
2. Add a new user
3. In the configuration tab - Add mailGroup
4. Add a new user
  
Actual results:
For first user add attempt - throws error - attribute "ipaUniqueID" not allowed
For the second user add attempt - throws error - missing attribute "mail" required by object class "mailGroup"

Expected results:
There should not be a "Delete" button for objectclasses without which new user cannot be added
When adding new objectclass, prompt or allow attribute to be entered when adding new user.

Additional info:
Logged Bug 741951 for cli to indicate an error when deleting required objectClass. But in UI, there should not be a Delete button for these.
Comment 2 Dmitri Pal 2011-09-28 21:38:48 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1894
Comment 3 Dmitri Pal 2011-09-28 21:53:05 UTC 
There is another bug #741951 that will be used to document related limitations and best practices. Suggest to defer this one till we have time to do something about dynamic extensibility.
Comment 8 Martin Kosek 2015-01-16 11:50:00 UTC 
This attribute is already sufficiently protected, see:

{{{
# ipa config-mod --userobjectclasses=person
ipa: ERROR: invalid 'ipauserobjectclasses': user default attribute givenname would not be allowed!

[root@ipa ipa-winsync]# ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,barbar}
ipa: ERROR: objectclass barbar not found
}}}

Please reopen this Bug if there is some obvious case where validation fails. However, when a valid objectclass that has a new MUST attribute is being added, adding default value/other validation needs to be done through user plugin - this is expected.