Bug 947911

Summary: Remove 'cn' attribute from idnsRecord and idnsZone objectClasses
Product: Red Hat Enterprise Linux 7 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: mkosek, nsoman, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:20:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2013-04-03 14:06:20 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3514

`commonName` attribute has no meaning in `idnsRecord` and `idnsZone` objectClasses and never worked. Please remove it to prevent crazy errors caused by "too inovative" users.
Comment 1 Martin Kosek 2013-04-10 11:58:10 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/74abb432fb35ce222fd2a9b954557080cad63bf4

Can be reproduced by ldapsearch. After the update, "cn" is no longer in the MAY list:

# ldapsearch -h localhost -D "cn=Directory Manager" -W -x -b "cn=schema" objectClasses
...
objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record,
  usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ 
 dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord 
 $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mIn
 foRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPT
 RRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSI
 GRecord $ nSECRecord ) X-ORIGIN 'user defined' )
...
Comment 4 Xiyang Dong 2014-01-14 21:25:22 UTC 
Verified on ipa-server-3.3.3-6.el7.x86_64

[root@70master ipa-ctl]# ldapsearch -h localhost -D "cn=Directory Manager" -w Secret123  -x -b "cn=schema" objectClasses|grep "NAME 'idnsRecord'" -A 6
objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record,
  usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ 
 dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord 
 $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mIn
 foRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPT
 RRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSI
 GRecord $ nSECRecord ) )

[root@70master ipa-ctl]# ldapsearch -h localhost -D "cn=Directory Manager" -w Secret123  -x -b "cn=schema" objectClasses|grep "NAME 'idnsZone'" -A 4
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' S
 UP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName 
 $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAmini
 mum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllow
 SyncPTR $ idnsForwardPolicy $ idnsForwarders ) )

"cn" is no longer in the MAY list
Comment 6 Ludek Smid 2014-06-13 09:20:46 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.