1108229 – [RFE] Better integration with the external provisioning systems - users

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1108229 - [RFE] Better integration with the external provisioning systems - users

Summary: [RFE] Better integration with the external provisioning systems - users

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-11 14:58 UTC by Martin Kosek
Modified:	2015-03-05 10:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:12:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Martin Kosek 2014-06-11 14:58:13 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3588

This is a follow-up ticket for #3583.

The target of this ticket is to add `userClass` attributeType also for user objects. The first proposal is to create a new objectClass `ipaUser` which would contain this `attributeType` in MAY list (and maybe other attributes too).

A second goal of this ticket is to review current objectClass hierarchy of users and do changes if needed.

This ticket should be done together with #3590.

Comment 1 Martin Kosek 2014-06-11 15:23:26 UTC

This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.

Comment 3 Namita Soman 2015-01-21 19:43:02 UTC

Verified using ipa-server-4.1.0-15.el7.x86_64


Test 1:
The ldifs should contain userClass:

# grep userClass /etc/dirsrv/slapd-TESTRELM-TEST/schema/60basev3.ldif 
objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )

# grep userClass /etc/dirsrv/slapd-TESTRELM-TEST/schema/05rfc4524.ldif
attributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass'


Test2:
Add user in single usergroup using regex set for usergroup
# ipa group-add --desc="QE Group" idm-qe
--------------------
Added group "idm-qe"
--------------------
  Group name: idm-qe
  Description: QE Group
  GID: 743000003


# ipa automember-add --type=group idm-qe 
------------------------------
Added automember rule "idm-qe"
------------------------------
  Automember Rule: idm-qe


# ipa automember-add-condition --key=userClass --type=group --inclusive-regex=qe idm-qe
------------------------------
Added condition(s) to "idm-qe"
------------------------------
  Automember Rule: idm-qe
  Inclusive Regex: userClass=qe
----------------------------
Number of conditions added 1
----------------------------


# ipa user-add one --class=qe 
First name: one
Last name: one
----------------
Added user "one"
----------------
  User login: one
  First name: one
  Last name: one
  Full name: one one
  Display name: one one
  Initials: oo
  Home directory: /home/one
  GECOS: one one
  Login shell: /bin/sh
  Kerberos principal: one
  Email address: one
  UID: 743000004
  GID: 743000004
  Class: qe
  Password: False
  Member of groups: idm-qe, ipausers
  Kerberos keys available: False


Test3:
Add user in multiple usergroup using regex set for usergroup
# ipa group-add --desc="Dev Group" idm-dev
---------------------
Added group "idm-dev"
---------------------
  Group name: idm-dev
  Description: Dev Group
  GID: 743000005


# ipa automember-add --type=group idm-dev
-------------------------------
Added automember rule "idm-dev"
-------------------------------
  Automember Rule: idm-dev


# ipa automember-add-condition --key=userClass --type=group --inclusive-regex=dev idm-dev
-------------------------------
Added condition(s) to "idm-dev"
-------------------------------
  Automember Rule: idm-dev
  Inclusive Regex: userClass=dev
----------------------------
Number of conditions added 1
----------------------------


# ipa user-add two --class=qe,dev
First name: two
Last name: two
----------------
Added user "two"
----------------
  User login: two
  First name: two
  Last name: two
  Full name: two two
  Display name: two two
  Initials: tt
  Home directory: /home/two
  GECOS: two two
  Login shell: /bin/sh
  Kerberos principal: two
  Email address: two
  UID: 743000006
  GID: 743000006
  Class: qe,dev
  Password: False
  Member of groups: idm-qe, ipausers, idm-dev
  Kerberos keys available: False

# ipa group-show idm-qe
  Group name: idm-qe
  Description: QE Group
  GID: 743000003
  Member users: one, two


# ipa group-show idm-dev
  Group name: idm-dev
  Description: Dev Group
  GID: 743000005
  Member users: two


Test4:
Add user using non-existing regex
# ipa user-add three --class=non-existent 
First name: three
Last name: three
------------------
Added user "three"
------------------
  User login: three
  First name: three
  Last name: three
  Full name: three three
  Display name: three three
  Initials: tt
  Home directory: /home/three
  GECOS: three three
  Login shell: /bin/sh
  Kerberos principal: three
  Email address: three
  UID: 743000007
  GID: 743000007
  Class: non-existent
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


Test5:
Find users using single value for "class" parameter

# ipa user-find --class=qe
---------------
2 users matched
---------------
  User login: four
  First name: four
  Last name: four
  Home directory: /home/four
  Login shell: /bin/sh
  Email address: four
  UID: 743000008
  GID: 743000008
  Account disabled: False
  Class: qe
  Password: False
  Kerberos keys available: False

  User login: one
  First name: one
  Last name: one
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one
  UID: 743000004
  GID: 743000004
  Account disabled: False
  Class: qe
  Password: False
  Kerberos keys available: False
----------------------------
Number of entries returned 2
----------------------------


Test6:
Find users using multiple values for "class" parameter

# ipa user-find --class=qe,dev
--------------
1 user matched
--------------
  User login: two
  First name: two
  Last name: two
  Home directory: /home/two
  Login shell: /bin/sh
  Email address: two
  UID: 743000006
  GID: 743000006
  Account disabled: False
  Class: qe,dev
  Password: False
  Kerberos keys available: False
----------------------------
Number of entries returned 1
----------------------------


Test7:
Find user with non-existent value for "class" parameter

# ipa user-find --class=xxx
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------


Test8:
change usergroup of user using "class" parameter to another group

# ipa user-mod one --class=dev
-------------------
Modified user "one"
-------------------
  User login: one
  First name: one
  Last name: one
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one
  UID: 743000004
  GID: 743000004
  Account disabled: False
  Class: dev
  Password: False
  Member of groups: idm-qe, ipausers
  Kerberos keys available: False


# ipa group-show idm-dev
  Group name: idm-dev
  Description: Dev Group
  GID: 743000005
  Member users: two


# ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (5) entries.
--------------------------------------------------------


# ipa group-show idm-dev
  Group name: idm-dev
  Description: Dev Group
  GID: 743000005
  Member users: one, two

# ipa user-show one
  User login: one
  First name: one
  Last name: one
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one
  UID: 743000004
  GID: 743000004
  Account disabled: False
  Class: dev
  Password: False
  Member of groups: idm-qe, ipausers, idm-dev
  Kerberos keys available: False

Test9:
Add user in multiple groups using "class" parameter from a single group

# ipa user-add five --class=qe
First name: five
Last name: five
-----------------
Added user "five"
-----------------
  User login: five
  First name: five
  Last name: five
  Full name: five five
  Display name: five five
  Initials: ff
  Home directory: /home/five
  GECOS: five five
  Login shell: /bin/sh
  Kerberos principal: five
  Email address: five
  UID: 743000009
  GID: 743000009
  Class: qe
  Password: False
  Member of groups: idm-qe, ipausers
  Kerberos keys available: False


# ipa group-add --desc="Doc Group" idm-doc
---------------------
Added group "idm-doc"
---------------------
  Group name: idm-doc
  Description: Doc Group
  GID: 743000010


# ipa automember-add --type=group idm-doc
-------------------------------
Added automember rule "idm-doc"
-------------------------------
  Automember Rule: idm-doc


# ipa automember-add-condition --key=userClass --type=group --inclusive-regex=doc idm-doc
-------------------------------
Added condition(s) to "idm-doc"
-------------------------------
  Automember Rule: idm-doc
  Inclusive Regex: userClass=doc
----------------------------
Number of conditions added 1
----------------------------


# ipa user-show five
  User login: five
  First name: five
  Last name: five
  Home directory: /home/five
  Login shell: /bin/sh
  Email address: five
  UID: 743000009
  GID: 743000009
  Account disabled: False
  Class: qe
  Password: False
  Member of groups: idm-qe, ipausers
  Kerberos keys available: False


# ipa user-mod five --class=doc,dev
--------------------
Modified user "five"
--------------------
  User login: five
  First name: five
  Last name: five
  Home directory: /home/five
  Login shell: /bin/sh
  Email address: five
  UID: 743000009
  GID: 743000009
  Account disabled: False
  Class: doc,dev
  Password: False
  Member of groups: idm-qe, ipausers
  Kerberos keys available: False


# ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (6) entries.
--------------------------------------------------------


# ipa user-show five
  User login: five
  First name: five
  Last name: five
  Home directory: /home/five
  Login shell: /bin/sh
  Email address: five
  UID: 743000009
  GID: 743000009
  Account disabled: False
  Class: doc,dev
  Password: False
  Member of groups: idm-qe, ipausers, idm-dev, idm-doc
  Kerberos keys available: False

Test10:
help text displays this new parameter

# ipa help user-add | grep class
  --class=STR           User category (semantics placed on this attribute are

# ipa help user-mod | grep class
  --class=STR           User category (semantics placed on this attribute are

# ipa help user-find | grep class
  --class=STR           User category (semantics placed on this attribute are

Comment 5 errata-xmlrpc 2015-03-05 10:12:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.