Description of problem: After adding a new host, it is possible to change the ipaUniqueID. I can also set it to the same value as another existing host. <snip> [root@dhcp-100-3-186 ipa-host-cli]# ipa host-add myhost.bos.redhat.com ---------------------------------- Added host "myhost.bos.redhat.com" ---------------------------------- Host name: myhost.bos.redhat.com Principal name: host/myhost.bos.redhat.com.COM [root@dhcp-100-3-186 ipa-host-cli]# ipa host-show --all myhost.bos.redhat.com dn: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com Host name: myhost.bos.redhat.com Principal name: host/myhost.bos.redhat.com.COM Keytab: False cn: myhost.bos.redhat.com ipauniqueid: fe3b567a-c0cb-11df-8529-000c29a5c12c managedby: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top serverhostname: myhost [root@dhcp-100-3-186 ipa-host-cli]# ipa host-mod --setattr ipaUniqueID=127863947-84375973-gq9587 myhost.bos.redhat.com ------------------------------------- Modified host "myhost.bos.redhat.com" ------------------------------------- Host name: myhost.bos.redhat.com Principal name: host/myhost.bos.redhat.com.COM [root@dhcp-100-3-186 ipa-host-cli]# echo $? 0 [root@dhcp-100-3-186 ipa-host-cli]# ipa host-show --all myhost.bos.redhat.com dn: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com Host name: myhost.bos.redhat.com Principal name: host/myhost.bos.redhat.com.COM Keytab: False cn: myhost.bos.redhat.com ipauniqueid: 127863947-84375973-gq9587 managedby: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top serverhostname: myhost </snip> Version-Release number of selected component (if applicable): ipa-server-1.91-0.2010080617git830910d.fc12.i686 ipa-admintools-1.91-0.2010080617git830910d.fc12.i686 How reproducible: always Steps to Reproduce: 1. See description 2. 3. Actual results: Successfully change ipaUniqueID. Expected results: Error message explaining the operation is not allowed. Additional info: I have not tried this with other objects such as users and groups .. my assumption is the same will be true and all need to be addressed.
Two hosts with same unique id - ldapsearch output: <snip> # jennyv1.bos.redhat.com, computers, accounts, bos.redhat.com dn: fqdn=jennyv1.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=c om cn: jennyv1.bos.redhat.com objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: pkiuser objectClass: ipaservice objectClass: krbprincipalaux objectClass: krbprincipal objectClass: top fqdn: jennyv1.bos.redhat.com managedBy: fqdn=jennyv1.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redh at,dc=com ipaUniqueID: 9ca8bb70-bc3a-11df-9a4d-000c29a5c12c krbPrincipalName: host/jennyv1.bos.redhat.com.COM serverHostName: jennyv1 nsHostLocation: Lab 3 l: Westord nsOsVersion: Fedora 13 nsHardwarePlatform: i636 enrolledBy: uid=admin,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com description: testings # myhost.bos.redhat.com, computers, accounts, bos.redhat.com dn: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=co m cn: myhost.bos.redhat.com objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: pkiuser objectClass: ipaservice objectClass: krbprincipalaux objectClass: krbprincipal objectClass: top fqdn: myhost.bos.redhat.com managedBy: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redha t,dc=com ipaUniqueID: 9ca8bb70-bc3a-11df-9a4d-000c29a5c12c krbPrincipalName: host/myhost.bos.redhat.com.COM serverHostName: myhost </snip> ipa host-show --all output: <snip> [root@dhcp-100-3-186 ipa-host-cli]# ipa host-show --all jennyv1.bos.redhat.com dn: fqdn=jennyv1.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com Host name: jennyv1.bos.redhat.com Description: testings Locality: Westord Location: Lab 3 Platform: i636 Operating system: Fedora 13 Principal name: host/jennyv1.bos.redhat.com.COM Keytab: False cn: jennyv1.bos.redhat.com enrolledby_user: admin ipauniqueid: 9ca8bb70-bc3a-11df-9a4d-000c29a5c12c managedby: fqdn=jennyv1.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top serverhostname: jennyv1 [root@dhcp-100-3-186 ipa-host-cli]# ipa host-show --all myhost.bos.redhat.com dn: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com Host name: myhost.bos.redhat.com Principal name: host/myhost.bos.redhat.com.COM Keytab: False cn: myhost.bos.redhat.com ipauniqueid: 9ca8bb70-bc3a-11df-9a4d-000c29a5c12c managedby: fqdn=myhost.bos.redhat.com,cn=computers,cn=accounts,dc=bos,dc=redhat,dc=com objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top serverhostname: myhost </snip>
ticket https://fedorahosted.org/freeipa/ticket/231
master: e648e03d0c730e07a55f64e9fb49a2f9bdcf6e52
verified :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-15: Negative - setattr and addattr on ipaUniqueID :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Executing: ipa host-mod --setattr ipaUniqueID=127863947-84375973-gq9587 nightcrawler.testrelm :: [ LOG ] :: "ipa host-mod --setattr ipaUniqueID=127863947-84375973-gq9587 nightcrawler.testrelm" failed as expected. :: [ LOG ] :: Error message as expected: ipa: ERROR: Insufficient access: Only the Directory Manager can set arbitrary values for ipaUniqueID :: [ PASS ] :: Verify expected error message for --setattr. :: [ LOG ] :: Executing: ipa host-mod --addattr ipaUniqueID=127863947-84375973-gq9587 nightcrawler.testrelm :: [ LOG ] :: "ipa host-mod --addattr ipaUniqueID=127863947-84375973-gq9587 nightcrawler.testrelm" failed as expected. :: [ LOG ] :: Error message as expected: ipa: ERROR: Insufficient access: Only the Directory Manager can set arbitrary values for ipaUniqueID :: [ PASS ] :: Verify expected error message for --addattr. :: [ LOG ] :: Duration: 7s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: ipa-host-cli-15: Negative - setattr and addattr on ipaUniqueID # rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.0.0 Vendor: Red Hat, Inc. Release : 23.el6 Build Date: Wed 20 Apr 2011 09:57:13 AM EDT Install Date: Thu 19 May 2011 12:47:52 PM EDT Build Host: x86-003.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.0.0-23.el6.src.rpm Size : 2565882 License: GPLv3+ Signature : RSA/8, Thu 21 Apr 2011 03:48:25 PM EDT, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server