I had problems adding or deleting ssh public keys for some users (see error log in attachment).
After some investigation I found the problem. The users need a objectclass "ipasshuser" (in exactly this lower and upper case). But a lot of our users had the objectclass "ipaSshUser" (note the case).
Apparently, some operations changes the case of the objectclasses over time...
By the way, the 60basev3.ldif uses the "ipaSshUser", which will not work!
One more thing:
Maybe its not the fault of FreeIPA directly. Some time ago, I added a custom objectclass to some users (a device need exactly this objectclass due to non-configurable filters) with Apache Directory Studio. The program uses the cased version from the 60basev3.ldif. And buuum, errors.
Maybe FreeIPA should ignore the case? Or the ldif file should be adjusted...
Thank you for reporting this bug.
IPA should ignore case of objectclasses and attribute names.
This bug is caused by baseuser.py plugin, method check_objectclasses() compares objectclasses in case sensitive way. This comparation should be case insensitive as is done in rest of the IPA.
Steps to reproduce:
1. ipa user-add testssh
1. remove objectclass 'ipasshuser' from the testssh user entry (if it is there)
1. add objectclass 'ipaSshuser' to the testssh user entry
1. try ipa user-mod --sshpubkey="ssh-rsa loremipsumsitdolormitametpubkey"
Metadata Update from @jfreax:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.3
to comment on this ticket.