Bug 667412 - ipa host-mod --setattr on cn should not be allowed
Summary: ipa host-mod --setattr on cn should not be allowed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-admintools
Version: 2.0
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-05 14:53 UTC by Jenny Severance
Modified: 2015-01-04 23:45 UTC (History)
3 users (show)

Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-27 07:13:55 UTC
Embargoed:

Attachments (Terms of Use)

Description Jenny Severance 2011-01-05 14:53:23 UTC 
Description of problem:
ipa host-mod --setattr on cn is successful, but should be denied.

Version-Release number of selected component (if applicable):
ipa-server-1.91-0.2010113023git20b1e0a.fc13.i686
ipa-admintools-1.91-0.2010113023git20b1e0a.fc13.i686

How reproducible:
always

Steps to Reproduce:
1. add a new host
   ipa host-add mytest.testrelm
2. modify the hosts cn using --setattr
   ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm
3. ipa host-show --all mytest.testrelm
  
Actual results:
modifying cn is successful

# ipa host-show --all mytest.testrelm

  dn: fqdn=mytest.testrelm,cn=computers,cn=accounts,dc=testrelm
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Keytab: False
  Managed by: mytest.testrelm
  cn: mytest2.testrelm
  ipauniqueid: 95a1d49c-18d5-11e0-bbc2-000c29a992d9
  objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, top
  serverhostname: mytest


Expected results:
ipa: ERROR: attribute cn not allowed

Additional info:
Comment 1 Dmitri Pal 2011-01-05 16:29:05 UTC 
Similarly to https://bugzilla.redhat.com/show_bug.cgi?id=667410 - this is not a valid use case. CN is not a part of host entry so the cn attribute can be added and modified if administrator wants to. There is nothing in the system that would require these operations to be treated as illegal.
Comment 2 Dmitri Pal 2011-01-05 18:28:09 UTC 
https://fedorahosted.org/freeipa/ticket/707

After some discussion we agreed that the ticket is valid.
Comment 3 Rob Crittenden 2011-02-17 03:21:16 UTC 
master: 86fe47b87df4e503e9d1d4c6cf6be62b5cbab685
Comment 4 Jenny Severance 2011-03-01 20:22:49 UTC 
Verified

version:
ipa-server-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64
ipa-admintools-2.0.0-13.20110228T1743zgit99d6e08.el6.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-32: Negative - setattr and addattr on cn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

----------------------------
Added host "mytest.testrelm"
----------------------------
  Host name: mytest.testrelm
  Principal name: host/mytest.testrelm@TESTRELM
  Managed by: mytest.testrelm
:: [15:20:14] ::  Adding new host mytest.testrelm successful with force option.
:: [15:20:14] ::  Executing: ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:17] ::  "ipa host-mod --setattr cn=mytest2.testrelm mytest.testrelm" failed as expected.
:: [15:20:20] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [15:20:21] ::  Executing: ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm
ipa: ERROR: Insufficient access: cn is immutable
:: [15:20:24] ::  "ipa host-mod --addattr cn=mytest3.testrelm mytest.testrelm" failed as expected.
:: [15:20:27] ::  Error message as expected: ipa: ERROR: Insufficient access: cn is immutable
:: [   PASS   ] :: Verify expected error message for --addattr.
Note You need to log in before you can comment on or make changes to this bug.