Description of problem: Run "ipa user-add" to add a username without a letter. The error message is not very descriptive. In below examples, all input strings meet the requirements specified in error message. i.e. The strings contains numbers, -, _, . and/or $. (letter is absence in all provided strings). The error message should clear indicates that username must contain at least a letter. # ipa user-add '$_-1234567' --first=User --last=Last ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $ # ipa user-add '$_1234567' --first=User --last=Last ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $ # ipa user-add '$1234567' --first=User --last=Last ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $ # ipa user-add '1234567' --first=User --last=Last ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $ # ipa user-add '$_1234567.' --first=User --last=Last ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $ Version-Release number of selected component (if applicable): ipa-client-4.9.8-8.module+el8.6.0+16878+6c033536.x86_64 ipa-client-common-4.9.8-8.module+el8.6.0+16878+6c033536.noarch ipa-common-4.9.8-8.module+el8.6.0+16878+6c033536.noarch ipa-healthcheck-0.7-10.module+el8.6.0+14292+18b36d36.noarch ipa-healthcheck-core-0.7-10.module+el8.6.0+14292+18b36d36.noarch ipa-selinux-4.9.8-8.module+el8.6.0+16878+6c033536.noarch ipa-server-4.9.8-8.module+el8.6.0+16878+6c033536.x86_64 ipa-server-common-4.9.8-8.module+el8.6.0+16878+6c033536.noarch ipa-server-dns-4.9.8-8.module+el8.6.0+16878+6c033536.noarch ipa-server-trust-ad-4.9.8-8.module+el8.6.0+16878+6c033536.x86_64
Criteria of username changed in https://bugzilla.redhat.com/show_bug.cgi?id=1562396, but the error message has not been updated to reflect the change.
The login name must match the following python regexp: '(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' (from https://pagure.io/freeipa/blob/master/f/ipalib/constants.py PATTERN_GROUPUSER_NAME) This translates into: Cannot contain only numbers Can start with letters numbers _ or . Can contain letters numbers _ . or - Can end with letters numbers _ . $ or - The fix could describe all the rules in the help for "ipa user" + replace the current message with a reference to the help, for instance: # ipa user-add _123@ ipa: ERROR: invalid 'login': refer to ipa help user for valid usernames Currently we have: ----- 8< ----- # ipa help user Users Manage user entries. All users are POSIX users. IPA supports a wide range of username formats, but you need to be aware of any restrictions that may apply to your particular environment. For example, usernames that start with a digit or usernames that exceed a certain length may cause problems for some UNIX systems. ----- 8< -----
Is the same message used in "group_name"? ~~~ # ipa group-add 123 ipa: ERROR: invalid 'group_name': may only include letters, numbers, _, -, . and $ ~~~
(In reply to Sunny Wu from comment #4) > Is the same message used in "group_name"? > > ~~~ > # ipa group-add 123 > ipa: ERROR: invalid 'group_name': may only include letters, numbers, _, -, . > and $ > ~~~ The same pattern check is applied and the same message is used. For users: https://pagure.io/freeipa/blob/2a9919afbd782326580ab52494c917b51023a1c9/f/ipaserver/plugins/baseuser.py#_212-214 Str('uid', pattern=constants.PATTERN_GROUPUSER_NAME, pattern_errmsg='may only include letters, numbers, _, -, . and $', For groups: https://pagure.io/freeipa/blob/2a9919afbd782326580ab52494c917b51023a1c9/f/ipaserver/plugins/group.py#_331-333 Str('cn', pattern=PATTERN_GROUPUSER_NAME, pattern_errmsg='may only include letters, numbers, _, -, . and $',
Upstream ticket: https://pagure.io/freeipa/issue/9378
Fixed upstream master: https://pagure.io/freeipa/c/7b0ad59feaf7ad017799c89010a95c2f6f55699d
Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/f42a106e84c1fd609350da2540289ce945a7ecbd
Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/7830ab96cc295e4151ad3d86cbbaf400a7ab2016