Bug 1463186 - IPA shouldn't allow objectclass if not all in lower case
IPA shouldn't allow objectclass if not all in lower case
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-20 06:58 EDT by Ming Davies
Modified: 2018-04-10 12:43 EDT (History)
7 users (show)

See Also:
Fixed In Version: ipa-4.5.4-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 12:42:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0918 None None None 2018-04-10 12:43 EDT

  None (edit)
Description Ming Davies 2017-06-20 06:58:24 EDT
Description of problem:
Customer said that they migrated users from the older version of IPA that had "objectclass=posixAccount" rather than "objectclass=posixaccount, which is problematic when comes to using "ipa idoverrideuser-add"

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-14.el7_3.7.x86_64
389-ds-base-1.3.5.10-20.el7_3.x86_64


How reproducible:


Steps to Reproduce:
1. Create two users in IPA using a ldif file, one with ""objectclass=posixAccount" and the other with "objectclass=posixAccount"
2. Load the users to the IPA
3. Then run:
ipa idview-add testview
ipa idoverrideuser-add testview <username> --homeDirectory=/var/tmp

Actual results:

user with "objectClass: posixAccount"
# ipa idoverrideuser-add testview cgoodwin --homedir=/home/cgoodwin
ipa: ERROR: invalid 'IPA object': system IPA objects (e.g system groups, user private groups) cannot be overridden


user with "objectClass: posixaccount
# ipa idoverrideuser-add testview bgoodwin --homedir=/home/mygoodwin
---------------------------------
Added User ID override "bgoodwin"
---------------------------------
  Anchor to override: bgoodwin
  Home directory: /home/mygoodwin


Expected results:


Additional info:
The workaround is to replace "objectclass=posixAccount" with "objectclass=posixaccount
Comment 2 Petr Vobornik 2017-07-28 11:34:56 EDT
Upstream ticket:
https://pagure.io/freeipa/issue/7074
Comment 3 Stanislav Laznicka 2017-09-12 12:05:32 EDT
Fixed upstream
master:
https://pagure.io/freeipa/c/286bbb2ab77559f63d10c8c5c4923520cb7d3d0f
Comment 4 Stanislav Laznicka 2017-09-13 02:47:13 EDT
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/a5e8f52801f5f6c59ac9bfcf2a14b002584c560a
Comment 5 Stanislav Laznicka 2017-09-14 02:36:45 EDT
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/61e8b4936f1fd73f8d4c359348cf83f37da35fef
Comment 7 Sudhir Menon 2018-01-22 10:01:24 EST
Fix is seen. Verified on RHEL7.5 

ipa-server-4.5.4-8.el7.x86_64
389-ds-base-1.3.7.5-13.el7.x86_64
selinux-policy-3.13.1-186.el7.noarch
sssd-1.16.0-14.el7.x86_64

[root@master share]# /usr/bin/ldapadd -D cn="Directory Manager" -w Secret123 -a -f /tmp/ldif.txt 
adding new entry "uid=ipauser12,cn=users,cn=accounts,dc=testrelm,dc=test"
adding new entry "uid=ipauser13,cn=users,cn=accounts,dc=testrelm,dc=test"


dn: uid=ipauser12,cn=users,cn=accounts,dc=testrelm,dc=test
displayName: ipauser12
uid: ipauser12
uidNumber: 1975200015
gidNumber: 1975200015
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount <===
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
loginShell: /bin/sh
homeDirectory: /home/ipauser12
initials: user12
gecos: ipauser12
sn: ipauser12
givenName: test
cn: ipauser12
ipaNTSecurityIdentifier: S-1-5-21-1238326235-786018428-537206457-1015

dn: cn=ipauser12,cn=groups,cn=accounts,dc=testrelm,dc=test
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: ipauser12
gidNumber: 1975200015
description: User private group for ipauser12
mepManagedBy: uid=ipauser12,cn=users,cn=accounts,dc=testrelm,dc=test
ipaUniqueID: 5885742c-ff84-11e7-bb1a-00163e076381

dn: uid=ipauser13,cn=users,cn=accounts,dc=testrelm,dc=test
displayName: ipauser13
uid: ipauser13
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixAccount <====
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
gidNumber: 1975200016
uidNumber: 1975200016
loginShell: /bin/sh
homeDirectory: /home/ipauser13
initials: user13
gecos: ipauser13
sn: ipauser13
givenName: test
cn: ipauser13
ipaNTSecurityIdentifier: S-1-5-21-1238326235-786018428-537206457-1016

dn: cn=ipauser13,cn=groups,cn=accounts,dc=testrelm,dc=test
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: ipauser13
gidNumber: 1975200016
description: User private group for ipauser13
mepManagedBy: uid=ipauser13,cn=users,cn=accounts,dc=testrelm,dc=test
ipaUniqueID: 5886b9b8-ff84-11e7-abf1-00163e076381

[root@master share]# ipa user-find
  User login: ipauser12
  First name: test
  Last name: ipauser12
  Home directory: /home/ipauser12
  Login shell: /bin/sh
  UID: 1975200015
  GID: 1975200015
  Account disabled: False

  User login: ipauser13
  First name: test
  Last name: ipauser13
  Home directory: /home/ipauser13
  Login shell: /bin/sh
  UID: 1975200016
  GID: 1975200016
  Account disabled: False

[root@master share]# ipa idoverrideuser-add testview ipauser12
----------------------------------
Added User ID override "ipauser12"
----------------------------------
  Anchor to override: ipauser12
[root@master share]# ipa idoverrideuser-add testview ipauser13
----------------------------------
Added User ID override "ipauser13"
----------------------------------
  Anchor to override: ipauser13
[root@master share]# ipa idoverrideuser-find testview
---------------------------
2 User ID overrides matched
---------------------------
  Anchor to override: ipauser12

  Anchor to override: ipauser13
----------------------------
Number of entries returned 2
----------------------------
Comment 11 errata-xmlrpc 2018-04-10 12:42:04 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918

Note You need to log in before you can comment on or make changes to this bug.