Several similar errors in ipa.test_xmlrpc.test_stageuser_plugin:
except errors.PublicError as got_exception:
> assert type(expected_exception) is type(got_exception)
E assert <class 'ipalib.errors.DuplicateEntry'> is <class 'ipalib.errors.ACIError'>
E + where <class 'ipalib.errors.DuplicateEntry'> = type(DuplicateEntry(u'user with name "tuser" already exists',))
E + and <class 'ipalib.errors.ACIError'> = type(ACIError(u"Insufficient access: Insufficient 'add' privilege to add the entry ...ts,cn=provisioning,dc=dom-150,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.",))
Version of DS: 389-ds-base-126.96.36.199-1.fc24.x86_64
In the latest provided build of DS, there were some changes in ACI enforcing, thus this is probbably the root cause
The latest changes to fix a CVE issue did not change aci implementation, but changed return codes to avoid guessing. Eg if a user tries to add an existing entry where he would not have access to create did get "already exists", but now always gets "insufficient access", so this could affect expected return codes in clients
This is caused by exactly what Ludwig wrote. Admin has no write access to deleted users container, before DS 188.8.131.52 it receives DuplicatedEntry, but now it receives ACIError.
We cannot rely on DuplicatedEntry error anymore in code, there must be explicit check in [stage]user-add to not add entry if already exists.
Note it exists the priviledge "Stage User Provisioning" that grant user_A (having this permission) the right to ADD a stage user but not to read them.
If user_A creates a stage user_B and stage user_B already exists, it will receive "already exists".
A user not having the ADD permission will receive "insufficient rights"
But this is happening for admin user. The one has all privileges. This is about user-add and deleted container.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1370512
Metadata Update from @mbasti:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.4.1
to comment on this ticket.