Fix the -G option of ipa-adduser. Don't add the user if one of the groups doesn't exist. Fixes: 459801

1 files changed, 28 insertions, 11 deletions

diff --git a/ipa-admintools/ipa-adduser b/ipa-admintools/ipa-adduser
index c3c5909f6..cf1f43244 100644
--- a/ipa-admintools/ipa-adduser
+++ b/ipa-admintools/ipa-adduser
@@ -218,8 +218,24 @@ def main():
             user.setValue(attr, value)
 
     client = ipaclient.IPAClient(verbose=options.verbose)
+
+    # get group dns and verify they exist
+    groups_to_add = []
+    if groups:
+        for group in groups.split(','):
+            group_dn = get_group_dn(client, group)
+            if not group_dn:
+                print "group %s doesn't exist" % group
+                return 1
+            groups_to_add.append(group_dn)
+
+    # add the user
     client.add_user(user)
 
+    # add the user to all the groups
+    for group in groups_to_add:
+        client.add_user_to_group(username, group)
+
     # Set the User's password
     if password is not None:
         try:
@@ -229,20 +245,21 @@ def main():
             print "%s" % (e.message)
             return 1
 
-    # Add to any groups
-    if groups:
-        add_groups = groups.split(',')
-        for g in add_groups:
-            if g:
-                try:
-                    client.add_user_to_group(username, g)
-                    print "%s added to group %s" % (username, g)
-                except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_NOT_FOUND):
-                    print "group %s doesn't exist, skipping" % g
-
     print username + " successfully added"
     return 0
 
+def get_group_dn(client, group_name):
+    if not group_name:
+        return None
+
+    found = client.find_groups(group_name)
+    if len(found) < 2:
+        return None
+    for group in found[1:]:
+        if group.cn == group_name:
+            return group.dn
+    return None
+
 try:
     if __name__ == "__main__":
         sys.exit(main())