Hide Forgot
Description of problem: In current RHEL 6.4 DS it is possible to add user to role which does not exist. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-29.el6.x86_64 How reproducible: always Steps to Reproduce: [jrusnack@dhcp-31-42 workspace]$ ldapmodify -a -D "cn=directory manager" -w Secret123 <<EOF dn: cn=roles testuser3,ou=people,dc=example,dc=com objectclass: top objectclass: person cn: roles testuser sn: roles testuser nsRoleDN: ou=invalid EOF adding new entry "cn=roles testuser3,ou=people,dc=example,dc=com" [jrusnack@dhcp-31-42 workspace]$ ldapsearch -LLL -D "cn=directory manager" -w Secret123 -b "cn=roles testuser3,ou=people,dc=example,dc=com" nsroleDN dn: cn=roles testuser3,ou=People,dc=example,dc=com nsroleDN: ou=invalid Actual results: User entry can be added to non-existing role (i.e. there is no managed role entry ou=invalid).
This is really a RFE, not a bug. Just like any other grouping mechanism, you can add a reference to a non-existent group/role. Even referential integrity doesn't check for ADD or MOD operations by design. I'd prefer to not implement this unless there is a significant customer request behind it. Closing as WONTFIX.