Description of problem:
When doing a multioperation --addattr and --delattr on an attribute that is
single valued and required, no error message is returned.  This is a regression
from previously releases.


# ipa group-del test
--------------------
Deleted group "test"
--------------------
[root@qe-blade-11 ipa-group-cli]# ipa group-add --desc=test test
------------------
Added group "test"
------------------
  Group name: test
  Description: test
  GID: 523800179

CORRECT BEHAVIOR
# ipa group-mod --addattr gidnumber=12345678 test
ipa: ERROR: gidnumber: Only one value allowed.

# ipa group-mod --delattr gidnumber=12345678 test
ipa: ERROR: gidnumber does not contain '12345678'

# ipa group-mod --delattr gidnumber=523800179 test
ipa: ERROR: 'gid' is required

INCORRECT BEHAVIOR
# ipa group-mod --addattr gidnumber=12345678 --delattr gidnumber=12345678 test
---------------------
Modified group "test"
---------------------
  Group name: test
  Description: test
  GID: 523800179

# echo $?
0


Version-Release number of selected component (if applicable):
# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 3.0.0                             Vendor: (none)
Release     : 105.20121022T2338zgit3488770.el6   Build Date: Mon 22 Oct 2012
09:13:40 PM EDT
Install Date: Thu 25 Oct 2012 03:17:00 PM EDT      Build Host:
goofy-vm16.dsdev.sjc.redhat.com
Group       : System Environment/Base       Source RPM:
ipa-3.0.0-105.20121022T2338zgit3488770.el6.src.rpm
Size        : 4357546                          License: GPLv3+
Signature   : (none)
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Description :
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). If you are installing an IPA server you need
to install this package (in other words, most people should NOT install
this package).


How reproducible:
always

Steps to Reproduce:
1. see description
2.
3.

Actual results:
No error, appears successful but isn't and return code 0

Expected results:

according to help ..

  --addattr=STR  Add an attribute/value pair. Format is attr=value. The
                 attribute must be part of the schema.
  --delattr=STR  Delete an attribute/value pair. The option will be evaluated
                 last, after all sets and adds.

delattr should be evaluated last and would have at least expected

# ipa group-mod --delattr gidnumber=523800179 test
ipa: ERROR: 'gid' is required

and return code of 1

Additional info:

I check the behavior, for the reported command. Setting both "--addattr gidnumber=12345678 --delattr gidnumber=12345678" is actually allowed even for a single valued attribute, as this operation practically translates to NOOP.

But in that case, we should return "no modifications to be performed" error if no other attribute was modified. This *is* a regression:

# ipa group-add foogroup
Description: foo
----------------------
Added group "foogroup"
----------------------
  Group name: foogroup
  Description: foo
  GID: 371800003


OK:

# ipa group-mod foogroup --delattr=gidnumber=371800000
ipa: ERROR: gidnumber does not contain '371800000'

OK:

# ipa group-mod foogroup --delattr=gidnumber=371800003
ipa: ERROR: 'gid' is required

OK:

# ipa group-mod foogroup --addattr=gidnumber=371800000
ipa: ERROR: gidnumber: Only one value allowed.

ERROR:

# ipa group-mod foogroup --addattr=gidnumber=371800000 --delattr=gidnumber=371800000
-------------------------
Modified group "foogroup"
-------------------------
  Group name: foogroup
  Description: foo
  GID: 371800003

"no modifications to be performed" should have been risen. I will open an upstream ticket.