https://bugzilla.redhat.com/show_bug.cgi?id=741957
Description of problem: In the IPA Server - Configuration tab, User Option section, Default user objectclasses allows deleting and adding objectclasses which then prevents one from adding new users For example, if ipaobject is deleted, then when adding a new user, it throws error attribute "ipaUniqueID" not allowed. So do not allow the listed objectclasses to be deleted...only new ones should be allowed to be added. When adding new ones, there is no check to see if it is a valid objectclass. Else it throws error when adding a new user When adding a valid new objectclass, for example mailGroup, it still throws error when adding a new user, indicating - missing attribute "mail" required by object class "mailGroup". This can be worked around in cli by using --setattr=mail="one", and user can be added...but this option is not available in UI Version-Release number of selected component (if applicable): ipa-server-2.1.1-4.el6.x86_64 How reproducible: always Steps to Reproduce: 1.In the configuration tab - Delete ipaobject from the list of Default user objectclasses 2. Add a new user 3. In the configuration tab - Add mailGroup 4. Add a new user Actual results: For first user add attempt - throws error - attribute "ipaUniqueID" not allowed For the second user add attempt - throws error - missing attribute "mail" required by object class "mailGroup" Expected results: There should not be a "Delete" button for objectclasses without which new user cannot be added When adding new objectclass, prompt or allow attribute to be entered when adding new user. Additional info: Logged Bug 741951 for cli to indicate an error when deleting required objectClass. But in UI, there should not be a Delete button for these.
Another doc issue. I suggest using this one as a long term tracking ticket to deal with object classes and UI extensibility.
After second evaluation here is the plan I propose regarding this ticket:
The fist issue will be tracked in BZ. The second issue will be deferred for now as it is not a high priority.
This attribute is already sufficiently protected, see:
# ipa config-mod --userobjectclasses=person ipa: ERROR: invalid 'ipauserobjectclasses': user default attribute givenname would not be allowed! [root@ipa ipa-winsync]# ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,barbar} ipa: ERROR: objectclass barbar not found
Please reopen this ticket if there is some obvious case where validation fails. However, when a valid objectclass that has a new MUST attribute is being added, adding default value/other validation needs to be done through user plugin - this is expected.
Metadata Update from @dpal: - Issue assigned to abbra - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.