Bug 784329 - ipa permission-add is not failing when memberof group does not exist
Summary: ipa permission-add is not failing when memberof group does not exist
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-24 15:31 UTC by Namita Soman
Modified: 2013-08-19 14:10 UTC (History)
2 users (show)

Fixed In Version: ipa-2.2.0-1.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:31:32 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Namita Soman 2012-01-24 15:31:35 UTC 
Description of problem:
ipa permission-add works if --memberof group entry does not exist.   It should
fail in this scenario like it does when group entry does not exist.

1> There is no group - xyz
# ipa group-find xyz
----------------
0 groups matched
----------------
----------------------------
Number of entries returned 0
----------------------------


2> Add a permission, and specify memberof to be the above mentioned group:
# ipa permission-add ManageHost --permissions="write" --subtree=cn=computers,cn=accounts,dc=testrelm,dc=com --memberof=xyz
-----------------------------
Added permission "ManageHost"
-----------------------------
  Permission name: ManageHost
  Permissions: write
  Member of group: xyz
  Subtree: ldap:///cn=computers,cn=accounts,dc=testrelm,dc=com


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-101.20120117T0229zgit5febffb.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. As mentioned above

  
Actual results:
permission is added

Expected results:
the group should not be allowed to be specified, since it does not exit yet.

Additional info:
There is bug 783307 for delegation displaying same behaviour
Comment 2 Dmitri Pal 2012-01-24 15:52:38 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2305
Comment 3 Martin Kosek 2012-02-08 09:47:08 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/616d543a54833a1fde6b0098d91ac0f4e14f7a57
ipa-2-2: https://fedorahosted.org/freeipa/changeset/93a1a3805369048f87e4328f421e156c8ebac07f
Comment 6 Martin Kosek 2012-04-20 12:18:15 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 7 Namita Soman 2012-04-26 11:59:49 UTC 
Verified using ipa-server-2.2.0-11.el6.x86_64

Executing: ipa permission-add ManageHost --permissions="write" --subtree=cn=computers,cn=accounts,dc=testrelm,dc=com --attr=nshostlocation --memberof=nonexistentgroup
ipa: ERROR: nonexistentgroup: group not found
:: [09:50:19] ::  There was an error adding ManageHost
Comment 9 errata-xmlrpc 2012-06-20 13:31:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html
Note You need to log in before you can comment on or make changes to this bug.