9991ea
From 35916294df8acc87e70c6b6796c644824caed64a Mon Sep 17 00:00:00 2001
9991ea
From: Tomas Babej <tbabej@redhat.com>
9991ea
Date: Thu, 13 Mar 2014 12:36:17 +0100
9991ea
Subject: [PATCH] Prohibit deletion of active subdomain range
9991ea
9991ea
Changes the code in the idrange_del method to not only check for
9991ea
the root domains that match the SID in the IDRange, but for the
9991ea
SIDs of subdomains of trusts as well.
9991ea
9991ea
https://fedorahosted.org/freeipa/ticket/4247
9991ea
9991ea
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
9991ea
---
9991ea
 ipalib/plugins/idrange.py | 20 ++++++++++++++++----
9991ea
 1 file changed, 16 insertions(+), 4 deletions(-)
9991ea
9991ea
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
9991ea
index cf74a75ffda42b2d2e40d2ab35c79ed069dd0f52..56ef4bba3ad0203d7d2462db6c4de90e1cb555cd 100644
9991ea
--- a/ipalib/plugins/idrange.py
9991ea
+++ b/ipalib/plugins/idrange.py
9991ea
@@ -567,14 +567,26 @@ class idrange_del(LDAPDelete):
9991ea
         range_sid = old_attrs.get('ipanttrusteddomainsid')
9991ea
 
9991ea
         if range_sid is not None:
9991ea
+            # Search for trusted domain with SID specified in the ID range entry
9991ea
             range_sid = range_sid[0]
9991ea
-            result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
9991ea
+            domain_filter=('(&(objectclass=ipaNTTrustedDomain)'
9991ea
+                           '(ipanttrusteddomainsid=%s))' % range_sid)
9991ea
 
9991ea
-            if result['count'] > 0:
9991ea
+            try:
9991ea
+                (trust_domains, truncated) = ldap.find_entries(
9991ea
+                    base_dn=DN(api.env.container_trusts, api.env.basedn),
9991ea
+                    filter=domain_filter)
9991ea
+            except errors.NotFound:
9991ea
+                pass
9991ea
+            else:
9991ea
+                # If there's an entry, it means that there's active domain
9991ea
+                # of a trust that this range belongs to, so raise a
9991ea
+                # DependentEntry error
9991ea
                 raise errors.DependentEntry(
9991ea
-                    label='Active Trust',
9991ea
+                    label='Active Trust domain',
9991ea
                     key=keys[0],
9991ea
-                    dependent=result['result'][0]['cn'][0])
9991ea
+                    dependent=trust_domains[0].dn[0].value)
9991ea
+
9991ea
 
9991ea
         return dn
9991ea
 
9991ea
-- 
9991ea
1.8.5.3
9991ea