741957 – [ipa webui] Config - Default user objectclasses allows invalid setting, which prevents adding new users

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 741957 - [ipa webui] Config - Default user objectclasses allows invalid setting, which prevents adding new users

Summary: [ipa webui] Config - Default user objectclasses allows invalid setting, which...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082 760383
TreeView+	depends on / blocked

Reported:	2011-09-28 15:28 UTC by Namita Soman
Modified:	2015-01-16 11:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	760383 (view as bug list)
Environment:
Last Closed:	2015-01-16 11:50:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Namita Soman 2011-09-28 15:28:46 UTC

Description of problem:
In the IPA Server - Configuration tab, User Option section, Default user objectclasses allows deleting and adding objectclasses which then prevents one from adding new users

For example, if ipaobject is deleted, then when adding a new user, it throws error attribute "ipaUniqueID" not allowed. 

So do not allow the listed objectclasses to be deleted...only new ones should be allowed to be added.

When adding new ones, there is no check to see if it is a valid objectclass. Else it throws error when adding a new user

When adding a valid new objectclass, for example mailGroup, it still throws error when adding a new user, indicating - missing attribute "mail" required by object class "mailGroup". This can be worked around in cli by using --setattr=mail="one", and user can be added...but this option is not available in UI

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.In the configuration tab - Delete ipaobject from the list of Default user objectclasses
2. Add a new user
3. In the configuration tab - Add mailGroup
4. Add a new user
  
Actual results:
For first user add attempt - throws error - attribute "ipaUniqueID" not allowed
For the second user add attempt - throws error - missing attribute "mail" required by object class "mailGroup"

Expected results:
There should not be a "Delete" button for objectclasses without which new user cannot be added
When adding new objectclass, prompt or allow attribute to be entered when adding new user.

Additional info:
Logged Bug 741951 for cli to indicate an error when deleting required objectClass. But in UI, there should not be a Delete button for these.

Comment 2 Dmitri Pal 2011-09-28 21:38:48 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1894

Comment 3 Dmitri Pal 2011-09-28 21:53:05 UTC

There is another bug #741951 that will be used to document related limitations and best practices. Suggest to defer this one till we have time to do something about dynamic extensibility.

Comment 8 Martin Kosek 2015-01-16 11:50:00 UTC

This attribute is already sufficiently protected, see:

{{{
# ipa config-mod --userobjectclasses=person
ipa: ERROR: invalid 'ipauserobjectclasses': user default attribute givenname would not be allowed!

[root@ipa ipa-winsync]# ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,barbar}
ipa: ERROR: objectclass barbar not found
}}}

Please reopen this Bug if there is some obvious case where validation fails. However, when a valid objectclass that has a new MUST attribute is being added, adding default value/other validation needs to be done through user plugin - this is expected.

Note You need to log in before you can comment on or make changes to this bug.