On 03/13/2014 12:59 PM, Alexander Bokovoy wrote: > On Thu, 13 Mar 2014, Tomas Babej wrote: >> Hi, >> >> Changes the code in the idrange_del method to not only check for >> the root domains that match the SID in the IDRange, but for the >> SIDs of subdomains of trusts as well. >> >> https://fedorahosted.org/freeipa/ticket/4247 >> >> -- >> Tomas Babej >> Associate Software Engeneer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org >> >> > >>> From e8c83773d8164d87d79062931b642df76fc479da Mon Sep 17 00:00:00 2001 >> From: Tomas Babej <tba...@redhat.com> >> Date: Thu, 13 Mar 2014 12:36:17 +0100 >> Subject: [PATCH] Prohibit deletion of active subdomain range >> >> Changes the code in the idrange_del method to not only check for >> the root domains that match the SID in the IDRange, but for the >> SIDs of subdomains of trusts as well. >> >> https://fedorahosted.org/freeipa/ticket/4247 >> --- >> ipalib/plugins/idrange.py | 23 +++++++++++++++++------ >> 1 file changed, 17 insertions(+), 6 deletions(-) >> >> diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py >> index >> 3a92d9898cc03f517b0f2bb75093eeb741cff646..ff6cdbc94ce479d0d8863cc5dfb1c074e7f3a5ad >> 100644 >> --- a/ipalib/plugins/idrange.py >> +++ b/ipalib/plugins/idrange.py >> @@ -568,13 +568,24 @@ class idrange_del(LDAPDelete): >> >> if range_sid is not None: >> range_sid = range_sid[0] >> - result = >> api.Command['trust_find'](ipanttrusteddomainsid=range_sid) >> >> - if result['count'] > 0: >> - raise errors.DependentEntry( >> - label='Active Trust', >> - key=keys[0], >> - dependent=result['result'][0]['cn'][0]) >> + # We need to check all the subdomains of all trusts, so we >> iterate >> + # over all active trusts >> + active_trusts = api.Command['trust_find']() >> + >> + for trust in active_trusts['result']: >> + matching_domains = api.Command['trustdomain_find']( >> + trust['cn'][0], >> + ipanttrusteddomainsid=range_sid >> + ) >> + >> + # If there's a active domain of a trust that this range >> + # belongs to, raise an DependentEntry error >> + if matching_domains['count'] > 0: >> + raise errors.DependentEntry( >> + label='Active Trust domain', >> + key=keys[0], >> + dependent=matching_domains['result'][0]['cn'][0]) >> >> return dn > > ACK.
NACK from me - too complicated and uneffective. Please check my review for details. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel