Patch attached.

From 7277e6ac97bacb86ea8eb56125b8071165e2f777 Mon Sep 17 00:00:00 2001
From: Martin Basti <>
Date: Thu, 18 Aug 2016 10:11:25 +0200
Subject: [PATCH] Fix: container owner should be able to add vault

With recent change in DS (CVE fix), ds is not returging DuplicatedEntry
error in case that user is not permitted by ACI to write, but ACIError instead.

Is safe to ignore ACI error in container, because it will be raised
again later if user has no access to container.
 ipaserver/plugins/ | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/ b/ipaserver/plugins/
index c9b7cb942cfbca74134bce4ba039619b4f5f2845..5c4c09685ceb95c6634306c4275008d602099e12 100644
--- a/ipaserver/plugins/
+++ b/ipaserver/plugins/
@@ -783,7 +783,7 @@ class vault_add_internal(LDAPCreate):
             self.obj.create_container(parent_dn, owner_dn)
-        except errors.DuplicateEntry as e:
+        except (errors.DuplicateEntry, errors.ACIError):
         # vault should be owned by the creator

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to