Hi, Changes the code in the idrange_del method to not only check for the root domains that match the SID in the IDRange, but for the SIDs of subdomains of trusts as well.
https://fedorahosted.org/freeipa/ticket/4247 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
>From e8c83773d8164d87d79062931b642df76fc479da Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 13 Mar 2014 12:36:17 +0100 Subject: [PATCH] Prohibit deletion of active subdomain range Changes the code in the idrange_del method to not only check for the root domains that match the SID in the IDRange, but for the SIDs of subdomains of trusts as well. https://fedorahosted.org/freeipa/ticket/4247 --- ipalib/plugins/idrange.py | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 3a92d9898cc03f517b0f2bb75093eeb741cff646..ff6cdbc94ce479d0d8863cc5dfb1c074e7f3a5ad 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -568,13 +568,24 @@ class idrange_del(LDAPDelete): if range_sid is not None: range_sid = range_sid[0] - result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) - if result['count'] > 0: - raise errors.DependentEntry( - label='Active Trust', - key=keys[0], - dependent=result['result'][0]['cn'][0]) + # We need to check all the subdomains of all trusts, so we iterate + # over all active trusts + active_trusts = api.Command['trust_find']() + + for trust in active_trusts['result']: + matching_domains = api.Command['trustdomain_find']( + trust['cn'][0], + ipanttrusteddomainsid=range_sid + ) + + # If there's a active domain of a trust that this range + # belongs to, raise an DependentEntry error + if matching_domains['count'] > 0: + raise errors.DependentEntry( + label='Active Trust domain', + key=keys[0], + dependent=matching_domains['result'][0]['cn'][0]) return dn -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel