Description of problem: When adding a user we attempt to add the user to the default user's group. If the search for this group fails then adding the user will fail as well. Currently ipa-adduser will fail with: # ipa-adduser -f Test -l User testuser * not found We should at minimum provide a better error message
Should we instead make ipausers undeletable ?
No. There is no need to require that the group of "everyone" be ipausers. He put in a perfectly legal group. The problem is that the add_user code assumes the location in the DIT of the group and constructs the DN. What I will probably do is store the DN of the default group instead, assuming it doesn't cause too much grief with installation and I can figure out a way to handle both cases. What I wanted to avoid is a search for the group whenever a user is added.
Created attachment 312294 [details] decent error message if default group not found The wrong exception was being used to catch the LDAP not found.
master: 23fab304e97d4b275037e066ab93c44e0ed8ae96
Fix Verified: Can't delete default group via webgui or ipa-delgroup. If you delete the group with ldapmodify and try to add a user - you get a descriptive error message. [root@jennyv3 /]# ipa-adduser jack First name: Jack Last name: O'Lantern The default group for new users, 'test', cannot be found. [root@jennyv3 /]# ipa-finduser jack No entries found for jack