Description of problem: ipa host-mod --setattr on cn is successful, but should be denied. Version-Release number of selected component (if applicable): ipa-server-1.91-0.2010113023git20b1e0a.fc13.i686 ipa-admintools-1.91-0.2010113023git20b1e0a.fc13.i686 How reproducible: always Steps to Reproduce: 1. add a new host ipa host-add mytest.testrelm 2. modify the hosts cn using --setattr ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm 3. ipa host-show --all mytest.testrelm Actual results: modifying cn is successful # ipa host-show --all mytest.testrelm dn: fqdn=mytest.testrelm,cn=computers,cn=accounts,dc=testrelm Host name: mytest.testrelm Principal name: host/mytest.testrelm@TESTRELM Keytab: False Managed by: mytest.testrelm cn: mytest2.testrelm ipauniqueid: 95a1d49c-18d5-11e0-bbc2-000c29a992d9 objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top serverhostname: mytest Expected results: ipa: ERROR: attribute cn not allowed Additional info:
Similarly to https://bugzilla.redhat.com/show_bug.cgi?id=667410 - this is not a valid use case. CN is not a part of host entry so the cn attribute can be added and modified if administrator wants to. There is nothing in the system that would require these operations to be treated as illegal.
https://fedorahosted.org/freeipa/ticket/707 After some discussion we agreed that the ticket is valid.
master: 86fe47b87df4e503e9d1d4c6cf6be62b5cbab685
Verified version: ipa-server-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64 ipa-admintools-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-32: Negative - setattr and addattr on cn :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ---------------------------- Added host "mytest.testrelm" ---------------------------- Host name: mytest.testrelm Principal name: host/mytest.testrelm@TESTRELM Managed by: mytest.testrelm :: [15:20:14] :: Adding new host mytest.testrelm successful with force option. :: [15:20:14] :: Executing: ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm ipa: ERROR: Insufficient access: cn is immutable :: [15:20:17] :: "ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm" failed as expected. :: [15:20:20] :: Error message as expected: ipa: ERROR: Insufficient access: cn is immutable :: [ PASS ] :: Verify expected error message for --setattr. :: [15:20:21] :: Executing: ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm ipa: ERROR: Insufficient access: cn is immutable :: [15:20:24] :: "ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm" failed as expected. :: [15:20:27] :: Error message as expected: ipa: ERROR: Insufficient access: cn is immutable :: [ PASS ] :: Verify expected error message for --addattr.