From 51f03f45f6cdab9da0479f48093951ccdd7cdab0 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 9 Jul 2015 17:17:21 +0200
Subject: [PATCH] Prevent to rename certprofile profile id

https://fedorahosted.org/freeipa/ticket/5074

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/certprofile.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index 6f9a41875b2a276b521219156e630817a9c41fdc..5550ed942521dbab2e783fba1570520268f9b378 100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -291,6 +291,9 @@ class certprofile_mod(LDAPUpdate):
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         ca_enabled_check()
+        # Once a profile id is set it cannot be changed
+        if 'cn' in entry_attrs:
+            raise errors.ACIError(info=_('cn is immutable'))
         if 'file' in options:
             with self.api.Backend.ra_certprofile as profile_api:
                 profile_api.disable_profile(keys[0])
-- 
2.1.0