Issue

When setting the user or group objectclasses a verification is done to ensure that the possible attributes are all allowed by the available set of objectclasses. This comparison is done in a case-sensitive way and it shouldn't need to be.

Steps to Reproduce

1. This repo at this commit https://github.com/Brandeis-CS-Systems/idm-unet-id-plugin/commit/0219efd70da1b30bb18a67038f3f969bb3fd29f7
2. unetuser_attributes = ["unetID"]
3. ipa config-mod --userobjectclasses={top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,unetuser}

Actual behavior

error: invalid 'ipauserobjectclasses': user default attribute unetID would not be allowed!

Expected behavior

case shouldn't matter

Making unetuser_attributes lower-case will fix it showing that it is a case-sensitivity issue

This patch allows this particular situation to pass, there could be others:

--- ipaserver/plugins/config.py 2020-06-23 16:42:11.940562212 -0400
+++ /usr/lib/python3.7/site-packages/ipaserver/plugins/config.py        2020-07-15 15:03:43.218477394 -0400
@@ -535,7 +535,7 @@
                       self.api.Object[obj].params[obj_attr].flags:
                         # skip virtual attributes
                         continue
-                    if obj_attr not in new_allowed_attrs:
+                    if obj_attr.lower() not in new_allowed_attrs:
                         raise errors.ValidationError(name=attr,
                                 error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
                                 % dict(obj=obj, attr=obj_attr))