Description of problem: ipa group-mod fails to change the cn attribute with --setattr as expected, but allows a second cn to be added with --addattr <snip> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-group-cli-49: Negative - setattr and addattr on cn :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Executing: ipa group-mod --setattr cn=cn=new,cn=groups,dc=domain,dc=com fish :: [ LOG ] :: "ipa group-mod --setattr cn=cn=new,cn=groups,dc=domain,dc=com fish" failed as expected. :: [ LOG ] :: Error message as expected: ipa: ERROR: Operation not allowed on RDN: :: [ PASS ] :: Verify expected error message for --setattr. :: [ LOG ] :: Executing: ipa group-mod --addattr cn=cn=new,cn=groups,dc=domain,dc=com fish :: [ LOG ] :: ERROR: Expected "ipa group-mod --addattr cn=cn=newer,cn=groups,dc=domain,dc=com fish" to fail. :: [ FAIL ] :: Verify expected error message for --addattr. (Expected 0, got 1) :: [ LOG ] :: Duration: 5s :: [ LOG ] :: Assertions: 1 good, 1 bad :: [ FAIL ] :: RESULT: ipa-group-cli-49: Negative - setattr and addattr on cn </snip> Version-Release number of selected component (if applicable): ipa-server-1.91-0.2010091519git5fd09b0.fc12.i686 ipa-admintools-1.91-0.2010091519git5fd09b0.fc12.i686 How reproducible: always Steps to Reproduce: 1. add a group # ipa group-add --desc="description" fish 2. attempt to set the cn attribute # ipa group-mod --setattr cn="cn=new,cn=groups,dc=domain,dc=com" fish (this fails as execpted) 3. attempt to add additional cn attribute # ipa group-mod --addattr cn="cn=newer,cn=groups,dc=domain,dc=com" fish Actual results: [root@dhcp-100-3-186 ipa-group-cli]# ipa group-mod --setattr cn="cn=new,cn=groups,dc=domain,dc=com" fish ipa: ERROR: Operation not allowed on RDN: [root@dhcp-100-3-186 ipa-group-cli]# ipa group-mod --addattr cn="cn=newer,cn=groups,dc=domain,dc=com" fish --------------------- Modified group "fish" --------------------- Group name: fish, cn=newer,cn=groups,dc=domain,dc=com Description: description [root@dhcp-100-3-186 ipa-group-cli]# ipa group-show --all --raw fish dn: cn=fish,cn=groups,cn=accounts,dc=bos,dc=redhat,dc=com cn: fish cn: cn=newer,cn=groups,dc=domain,dc=com description: description ipauniqueid: 2ed09b05-c752-11df-82d3-000c29a5c12c objectclass: top objectclass: groupofnames objectclass: nestedgroup objectclass: ipausergroup objectclass: ipaobject Expected results: addattr option to fail with operation not allowed Additional info:
This is related to bug. https://bugzilla.redhat.com/show_bug.cgi?id=634189 We don't want to let set/addattr change values in the DN. I'm not closing this as a duplicate because the other bug may have other problems in addition to the DN issue.
https://fedorahosted.org/freeipa/ticket/230
master: dff2ff830073c638582c3708cec422c47994f36a