Bug 870434

Summary: change in error message to incorrect/misleading error message
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED WONTFIX QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: dpal, jdennis, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-29 20:51:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2012-10-26 13:19:40 UTC 
Description of problem:
Error message has been changed when attempts are made to modify a DN.  It is expected that an error be returned stating that you are not allowed to do this.  Now and misleading error message is returned stating Invalid syntax - this could lead to admins thinking they can do this, try different syntaxes and get frustrated.  I then tried with a correct DN syntax, but still got the invalid syntax error.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-user-cli-mod-028 setattr and addattr on dn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa user-mod --setattr dn=mynewDN sup34
:: [   LOG    ] :: "ipa user-mod --setattr dn=mynewDN sup34" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: dn: Invalid syntax.  EXP: ipa: ERROR: attribute distinguishedName not allowed 
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa user-mod --addattr dn=anothernewDN sup34
:: [   LOG    ] :: "ipa user-mod --addattr dn=anothernewDN sup34" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: dn: Invalid syntax.  EXP: ipa: ERROR: attribute distinguishedName not allowed 
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 0 good, 4 bad
:: [   FAIL   ] :: RESULT: ipa-user-cli-mod-028 setattr and addattr on dn

Version-Release number of selected component (if applicable):

Name        : ipa-server                   Relocations: (not relocatable)
Version     : 3.0.0                             Vendor: (none)
Release     : 105.20121022T2338zgit3488770.el6   Build Date: Mon 22 Oct 2012 09:13:40 PM EDT
Install Date: Thu 25 Oct 2012 03:17:00 PM EDT      Build Host: goofy-vm16.dsdev.sjc.redhat.com
Group       : System Environment/Base       Source RPM: ipa-3.0.0-105.20121022T2338zgit3488770.el6.src.rpm
Size        : 4357546                          License: GPLv3+
Signature   : (none)
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Description :
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). If you are installing an IPA server you need
to install this package (in other words, most people should NOT install
this package).


How reproducible:
always

Steps to Reproduce:
1. add a user
2. attempt to set or add attr on dn
3.
  
Actual results:
ipa: ERROR: dn: Invalid syntax.

Expected results:
ipa: ERROR: attribute distinguishedName not allowed

Additional info:

Other failures due to this regression ...

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-user-cli-mod-034 setattr and addattr krbPwdPolicyReference
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa user-mod --setattr krbPwdPolicyReference=test sup34
:: [   LOG    ] :: "ipa user-mod --setattr krbPwdPolicyReference=test sup34" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: krbpwdpolicyreference: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPwdPolicyReference' attribute of entry 'uid=sup34,cn=users,cn=accounts,dc=testrelm,dc=com'. 
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa user-mod --setattr krbPwdPolicyReference=test sup34
:: [   LOG    ] :: "ipa user-mod --setattr krbPwdPolicyReference=test sup34" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: krbpwdpolicyreference: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPwdPolicyReference' attribute of entry 'uid=sup34,cn=users,cn=accounts,dc=testrelm,dc=com'. 
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 0 good, 4 bad
:: [   FAIL   ] :: RESULT: ipa-user-cli-mod-034 setattr and addattr krbPwdPolicyReference

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-group-setaddattr-001 - setattr group that doesn't exist
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [09:04:51] ::  Executing: ipa group-mod --setattr dn=mynewDN doesntexist
ipa: ERROR: dn: Invalid syntax.
:: [09:04:52] ::  "ipa group-mod --setattr dn=mynewDN doesntexist" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: dn: Invalid syntax.  EXP: ipa: ERROR: doesntexist: group not found 
:: [   FAIL   ] :: Verify expected error message. (Expected 0, got 1)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-group-setaddattr-002 setattr and addattr on dn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [09:04:53] ::  Executing: ipa group-mod --setattr dn=mynewDN gmodtest
ipa: ERROR: dn: Invalid syntax.
:: [09:04:54] ::  "ipa group-mod --setattr dn=mynewDN gmodtest" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: dn: Invalid syntax.  EXP: ipa: ERROR: attribute distinguishedName not allowed 
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [09:04:55] ::  Executing: ipa group-mod --addattr dn=anothernewDN gmodtest
ipa: ERROR: dn: Invalid syntax.
:: [09:04:55] ::  "ipa group-mod --addattr dn=anothernewDN gmodtest" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: dn: Invalid syntax.  EXP: ipa: ERROR: attribute distinguishedName not allowed 
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)


There are probably more.
Comment 2 Rob Crittenden 2012-10-26 14:29:07 UTC 
We now validate DN values before sending the request to the server, so it is the client reporting this error. This saves an LDAP operation.

This is not a regression, it is a purposeful change in behavior.
Comment 3 Dmitri Pal 2012-10-29 20:50:21 UTC 
Yes, this is not a regression. This is a change in behavior related to validation of the DNs. I checked with John. There is nothing we can do about it. I am going to close it as WONTFIX.
Comment 4 John Dennis 2012-10-29 20:56:29 UTC 
I don't see a regression here either. You're passing a dn which is improperly formed (i.e. it's syntax is not correct) and it's telling you that. Rather than a regression I view it as an enhancement.

Why not use a syntactically correct but otherwise invalid dn?

The absolute minimum dn is a name followed by an equal sign (e.g. "foo="). That's a single AVA whose attribute name is "foo" and whose value is empty. FWIW empty values will probably trigger other errors down the way because I suspect most of our code expects an attribute to have a value, but at least it's technically a valid dn, just not a very useful one. You're probably better off at least including some bogus value.