From 35916294df8acc87e70c6b6796c644824caed64a Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 13 Mar 2014 12:36:17 +0100
Subject: [PATCH] Prohibit deletion of active subdomain range
Changes the code in the idrange_del method to not only check for
the root domains that match the SID in the IDRange, but for the
SIDs of subdomains of trusts as well.
https://fedorahosted.org/freeipa/ticket/4247
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipalib/plugins/idrange.py | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index cf74a75ffda42b2d2e40d2ab35c79ed069dd0f52..56ef4bba3ad0203d7d2462db6c4de90e1cb555cd 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -567,14 +567,26 @@ class idrange_del(LDAPDelete):
range_sid = old_attrs.get('ipanttrusteddomainsid')
if range_sid is not None:
+ # Search for trusted domain with SID specified in the ID range entry
range_sid = range_sid[0]
- result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+ domain_filter=('(&(objectclass=ipaNTTrustedDomain)'
+ '(ipanttrusteddomainsid=%s))' % range_sid)
- if result['count'] > 0:
+ try:
+ (trust_domains, truncated) = ldap.find_entries(
+ base_dn=DN(api.env.container_trusts, api.env.basedn),
+ filter=domain_filter)
+ except errors.NotFound:
+ pass
+ else:
+ # If there's an entry, it means that there's active domain
+ # of a trust that this range belongs to, so raise a
+ # DependentEntry error
raise errors.DependentEntry(
- label='Active Trust',
+ label='Active Trust domain',
key=keys[0],
- dependent=result['result'][0]['cn'][0])
+ dependent=trust_domains[0].dn[0].value)
+
return dn
--
1.8.5.3