Hide Forgot
Description of problem: the command: ipa role-add-member <rolename> --users=<some user> will check the existence of user account. However, if we use ipa role-add <role-name> --desc=test --setattr=member=<some user> syntax, it will bypass account validation. The next test passed which should not [yi@dhcp-137 ipa-delegation]$ ipa role-add testRole001 --desc=test --setattr=member=uid=NoSuchUser13082,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com ------------------------ Added role "testrole001" ------------------------ Role name: testrole001 Description: test Member users: NoSuchUser13082 === there are account validation in role-add-member command === [yi@dhcp-137 ipa-delegation]$ ipa role-add-member testRole001 --users=NoSuchUser13082 Role name: testrole001 Description: test Member users: NoSuchUser13082 Failed members: user: NoSuchUser13082: no such entry ------------------------- Number of members added 0 ------------------------- ======== account "NoSuchUser13082" does not exist ========= [yi@dhcp-137 ipa-delegation]$ ipa user-find NoSuchUser13082 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- Version-Release number of selected component (if applicable):ipa-server-2.0-0.2011011115gitc778919.fc14.i686 How reproducible: always
I'm not inclined to spend a lot of time on this to be honest. With great power comes great responsibility, so if users want to use setattr to manage membership I think the onus is on them to get it right.
I agree with Rob. This is FAD. Please close.
This is the right behavior. Per mutual agreement we are closing the issue.