From 80767a47c9eda6c82f172b87a6a901be9ebf0c9a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 24 Aug 2015 20:25:10 -0400
Subject: [PATCH] certprofile: prevent rename (modrdn)

Fixes: https://fedorahosted.org/freeipa/ticket/5247
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/plugins/certprofile.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index 007cc543406b7e5705fd7474f3685cd6a9ce6aca..a0ffa38608400860994c771e4eba81304ead27be 100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -323,8 +323,9 @@ class certprofile_mod(LDAPUpdate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         ca_enabled_check()
         # Once a profile id is set it cannot be changed
-        if 'cn' in entry_attrs:
-            raise errors.ACIError(info=_('cn is immutable'))
+        if 'rename' in options or 'cn' in entry_attrs:
+            raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
+                reason=_('Certificate profiles cannot be renamed'))
         if 'file' in options:
             with self.api.Backend.ra_certprofile as profile_api:
                 profile_api.disable_profile(keys[0])
-- 
2.4.3