Upon discussion with Simo we decided that OTP tokens should be
orphaned/deleted also during the user preservation.
From 635754c3773b1db5550fe19ad6f0a84e84d36459 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 16 Oct 2015 19:16:46 +0200
Subject: [PATCH] execute user-del pre-callback also during user preservation
user preservation code was not using the pre-callback function which did check
whether a protected member is being deleted and facilitated the
orphaning/deletion of OTP tokens owner/managed by the user.
ipalib/plugins/user.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index e3397f03d91377770efaeae3fbc710bfce668f13..31d7b1d6decadd5bf5d4cf148d15f4426fc77f49 100644
@@ -618,6 +618,10 @@ class user_del(baseuser_del):
+ for callback in self.get_callbacks('pre'):
+ dn = callback(self, ldap, dn, [pkey], **options)
+ assert isinstance(dn, DN)
# start to move the entry to Delete container
self._exc_wrapper(pkey, options, ldap.move_entry)(dn, delete_dn,
@@ -673,6 +677,9 @@ class user_del(baseuser_del):
+ if dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
+ return dn
# Delete all tokens owned and managed by this user.
# Orphan all tokens owned but not managed by this user.
owner = self.api.Object.user.get_primary_key_from_dn(dn)
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code