freeipa

Clone
Source Code
GIT

#1894 [ipa webui] Config - Default user objectclasses allows invalid setting, which prevents adding new users
Closed: Invalid None Opened 12 years ago by dpal.

Closed: Invalid
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=741957

Description of problem:
In the IPA Server - Configuration tab, User Option section, Default user objectclasses allows deleting and adding objectclasses which then prevents one from adding new users

For example, if ipaobject is deleted, then when adding a new user, it throws error attribute "ipaUniqueID" not allowed.

So do not allow the listed objectclasses to be deleted...only new ones should be allowed to be added.

When adding new ones, there is no check to see if it is a valid objectclass. Else it throws error when adding a new user

When adding a valid new objectclass, for example mailGroup, it still throws error when adding a new user, indicating - missing attribute "mail" required by object class "mailGroup". This can be worked around in cli by using --setattr=mail="one", and user can be added...but this option is not available in UI

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.In the configuration tab - Delete ipaobject from the list of Default user objectclasses
2. Add a new user
3. In the configuration tab - Add mailGroup
4. Add a new user

Actual results:
For first user add attempt - throws error - attribute "ipaUniqueID" not allowed
For the second user add attempt - throws error - missing attribute "mail" required by object class "mailGroup"

Expected results:
There should not be a "Delete" button for objectclasses without which new user cannot be added
When adding new objectclass, prompt or allow attribute to be entered when adding new user.

Additional info:
Logged Bug 741951 for cli to indicate an error when deleting required objectClass. But in UI, there should not be a Delete button for these.

Another doc issue. I suggest using this one as a long term tracking ticket to deal with object classes and UI extensibility.

After second evaluation here is the plan I propose regarding this ticket:

  1. Open a doc bug to describe that removing object classes would cause a problem
  2. Fix IPA to check the implications of removing object classes from the object.

The fist issue will be tracked in BZ.
The second issue will be deferred for now as it is not a high priority.

This attribute is already sufficiently protected, see:

# ipa config-mod --userobjectclasses=person
ipa: ERROR: invalid 'ipauserobjectclasses': user default attribute givenname would not be allowed!

[root@ipa ipa-winsync]# ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,barbar}
ipa: ERROR: objectclass barbar not found

Please reopen this ticket if there is some obvious case where validation fails. However, when a valid objectclass that has a new MUST attribute is being added, adding default value/other validation needs to be done through user plugin - this is expected.

Metadata Update from @dpal:
- Issue assigned to abbra
- Issue set to the milestone: Ticket Backlog
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=741957
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.