Generated trees (like sudoers or compat tree) cannot hold permissions. When user tries to add a permission to it, not very helpful message is shown, given that user may not realize the difference between generated tree and any other tree in FreeIPA DIT:
# ipa permission-add test --right read --attrs cn --subtree "cn=compat,dc=mkosek-fedora20,dc=test" ipa: ERROR: no such entry
I would expect error similar to adding ACI to non-existent DN:
# ipa permission-add test --right read --attrs cn --subtree "cn=bla,dc=mkosek-fedora20,dc=test" ipa: ERROR: invalid 'ipapermlocation': Entry cn=bla,dc=mkosek-fedora20,dc=test does not exist
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=976382 (Red Hat Enterprise Linux 7)
master:
ipa-4-1:
Metadata Update from @mkosek: - Issue assigned to tbordaz - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.