Bug 667410 - ipa host-mod --addattr on cn should not be allowed
Summary: ipa host-mod --addattr on cn should not be allowed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-admintools
Version: 2.0
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-05 14:45 UTC by Jenny Severance
Modified: 2015-01-04 23:45 UTC (History)
3 users (show)

Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-27 07:16:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Jenny Severance 2011-01-05 14:45:07 UTC 
Description of problem:

Adding additional host's CN is successful with ipa host-mod --addattr and should not be allowed. 


Version-Release number of selected component (if applicable):

ipa-server-1.91-0.2010113023git20b1e0a.fc13.i686
ipa-admintools-1.91-0.2010113023git20b1e0a.fc13.i686

How reproducible:
always

Steps to Reproduce:
1. add a new host
   ipa host-add mytest.testrelm
2. add an additional cn
   ipa host-mod --addattr cn=mytest2.testrelm mytest.testrelm
3. ipa host-show --all mytestrelm
  
Actual results:
adding additional cn is successful

# ipa host-show --all mytest.testrelm

  dn: fqdn=mytest.testrelm,cn=computers,cn=accounts,dc=testrelm
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Keytab: False
  Managed by: mytest.testrelm
  cn: mytest.testrelm, mytest2.testrelm
  ipauniqueid: 95a1d49c-18d5-11e0-bbc2-000c29a992d9
  objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top
  serverhostname: mytest

Expected results:

ipa: ERROR: cn: Only one value allowed.

Additional info:
Comment 1 Dmitri Pal 2011-01-05 16:26:45 UTC 
I do not think this is a valid test case. cn is not a part of the host object so adding cn attribute should be allowed.I think this is functions as designed.
Comment 2 Jenny Severance 2011-01-05 18:13:21 UTC 
Then the CLI and UI should deny the operation with a valid error message ... like ... ipa: ERROR: attribute cn not allowed
Comment 3 Dmitri Pal 2011-01-05 18:26:46 UTC 
https://fedorahosted.org/freeipa/ticket/706
Comment 4 Rob Crittenden 2011-02-17 03:20:30 UTC 
master: 86fe47b87df4e503e9d1d4c6cf6be62b5cbab685
Comment 5 Jenny Severance 2011-03-01 20:23:13 UTC 
Verified

version:
ipa-server-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64
ipa-admintools-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-32: Negative - setattr and addattr on cn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

----------------------------
Added host "mytest.testrelm"
----------------------------
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Managed by: mytest.testrelm
:: [15:20:14] ::  Adding new host mytest.testrelm successful with force option.
:: [15:20:14] ::  Executing: ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:17] ::  "ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm" failed as expected.
:: [15:20:20] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [15:20:21] ::  Executing: ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:24] ::  "ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm" failed as expected.
:: [15:20:27] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --addattr.
Note You need to log in before you can comment on or make changes to this bug.