Bug 636979 - ipa group-mod --addattr allows multiple cn attributes
Summary: ipa group-mod --addattr allows multiple cn attributes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-admintools
Version: 2.0
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-23 20:37 UTC by Jenny Severance
Modified: 2015-01-04 23:44 UTC (History)
3 users (show)

Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 09:37:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Jenny Severance 2010-09-23 20:37:48 UTC 
Description of problem:
ipa group-mod fails to change the cn attribute with --setattr as expected, but allows a second cn to be added with --addattr

<snip>

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-group-cli-49: Negative - setattr and addattr on cn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa group-mod --setattr cn=cn=new,cn=groups,dc=domain,dc=com fish
:: [   LOG    ] :: "ipa group-mod --setattr cn=cn=new,cn=groups,dc=domain,dc=com fish" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Operation not allowed on RDN:
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   LOG    ] :: Executing: ipa group-mod --addattr cn=cn=new,cn=groups,dc=domain,dc=com fish
:: [   LOG    ] :: ERROR: Expected "ipa group-mod --addattr cn=cn=newer,cn=groups,dc=domain,dc=com fish" to fail.
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 1 good, 1 bad
:: [   FAIL   ] :: RESULT: ipa-group-cli-49: Negative - setattr and addattr on cn


</snip>

Version-Release number of selected component (if applicable):
ipa-server-1.91-0.2010091519git5fd09b0.fc12.i686
ipa-admintools-1.91-0.2010091519git5fd09b0.fc12.i686


How reproducible:
always

Steps to Reproduce:
1. add a group
  # ipa group-add --desc="description" fish
2. attempt to set the cn attribute
  # ipa group-mod --setattr cn="cn=new,cn=groups,dc=domain,dc=com" fish
  (this fails as execpted)
3. attempt to add additional cn attribute
  # ipa group-mod --addattr cn="cn=newer,cn=groups,dc=domain,dc=com" fish
Actual results:

[root@dhcp-100-3-186 ipa-group-cli]# ipa group-mod --setattr cn="cn=new,cn=groups,dc=domain,dc=com" fish
ipa: ERROR: Operation not allowed on RDN:
[root@dhcp-100-3-186 ipa-group-cli]# ipa group-mod --addattr cn="cn=newer,cn=groups,dc=domain,dc=com" fish
---------------------
Modified group "fish"
---------------------
  Group name: fish, cn=newer,cn=groups,dc=domain,dc=com
  Description: description
[root@dhcp-100-3-186 ipa-group-cli]# ipa group-show --all --raw fish
  dn: cn=fish,cn=groups,cn=accounts,dc=bos,dc=redhat,dc=com
  cn: fish
  cn: cn=newer,cn=groups,dc=domain,dc=com
  description: description
  ipauniqueid: 2ed09b05-c752-11df-82d3-000c29a5c12c
  objectclass: top
  objectclass: groupofnames
  objectclass: nestedgroup
  objectclass: ipausergroup
  objectclass: ipaobject


Expected results:
addattr option to fail with operation not allowed

Additional info:
Comment 1 Rob Crittenden 2010-09-24 12:52:35 UTC 
This is related to bug. https://bugzilla.redhat.com/show_bug.cgi?id=634189

We don't want to let set/addattr change values in the DN. I'm not closing this as a duplicate because the other bug may have other problems in addition to the DN issue.
Comment 2 Rob Crittenden 2010-09-24 12:53:23 UTC 
https://fedorahosted.org/freeipa/ticket/230
Comment 3 Dmitri Pal 2010-12-10 22:48:30 UTC 
master: dff2ff830073c638582c3708cec422c47994f36a
Note You need to log in before you can comment on or make changes to this bug.