Bug 672638 - role-add --setattr bypasses account validation
Summary: role-add --setattr bypasses account validation
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-server
Version: 2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-25 18:47 UTC by Yi Zhang
Modified: 2015-01-04 23:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-27 18:32:58 UTC


Attachments (Terms of Use)

Description Yi Zhang 2011-01-25 18:47:53 UTC
Description of problem:
the command: ipa role-add-member <rolename> --users=<some user> will check the existence of user account. However, if we use ipa role-add <role-name> --desc=test --setattr=member=<some user> syntax, it will bypass account validation.

The next test passed which should not
[yi@dhcp-137 ipa-delegation]$ ipa role-add testRole001 --desc=test --setattr=member=uid=NoSuchUser13082,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
------------------------
Added role "testrole001"
------------------------
  Role name: testrole001
  Description: test
  Member users: NoSuchUser13082


=== there are account validation in role-add-member command ===
[yi@dhcp-137 ipa-delegation]$  ipa role-add-member testRole001 --users=NoSuchUser13082
  Role name: testrole001
  Description: test
  Member users: NoSuchUser13082
  Failed members: 
    user: NoSuchUser13082: no such entry
-------------------------
Number of members added 0
-------------------------

======== account "NoSuchUser13082" does not exist =========
[yi@dhcp-137 ipa-delegation]$ ipa user-find NoSuchUser13082
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------

Version-Release number of selected component (if applicable):ipa-server-2.0-0.2011011115gitc778919.fc14.i686


How reproducible: always

Comment 1 Rob Crittenden 2011-01-25 18:51:27 UTC
I'm not inclined to spend a lot of time on this to be honest. With great power comes great responsibility, so if users want to use setattr to manage membership I think the onus is on them to get it right.

Comment 2 Dmitri Pal 2011-01-25 19:37:31 UTC
I agree with Rob. This is FAD. Please close.

Comment 5 Dmitri Pal 2011-01-27 18:32:58 UTC
This is the right behavior. Per mutual agreement we are closing the issue.


Note You need to log in before you can comment on or make changes to this bug.