From 35916294df8acc87e70c6b6796c644824caed64a Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 13 Mar 2014 12:36:17 +0100 Subject: [PATCH] Prohibit deletion of active subdomain range Changes the code in the idrange_del method to not only check for the root domains that match the SID in the IDRange, but for the SIDs of subdomains of trusts as well. https://fedorahosted.org/freeipa/ticket/4247 Reviewed-By: Alexander Bokovoy --- ipalib/plugins/idrange.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index cf74a75ffda42b2d2e40d2ab35c79ed069dd0f52..56ef4bba3ad0203d7d2462db6c4de90e1cb555cd 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -567,14 +567,26 @@ class idrange_del(LDAPDelete): range_sid = old_attrs.get('ipanttrusteddomainsid') if range_sid is not None: + # Search for trusted domain with SID specified in the ID range entry range_sid = range_sid[0] - result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + domain_filter=('(&(objectclass=ipaNTTrustedDomain)' + '(ipanttrusteddomainsid=%s))' % range_sid) - if result['count'] > 0: + try: + (trust_domains, truncated) = ldap.find_entries( + base_dn=DN(api.env.container_trusts, api.env.basedn), + filter=domain_filter) + except errors.NotFound: + pass + else: + # If there's an entry, it means that there's active domain + # of a trust that this range belongs to, so raise a + # DependentEntry error raise errors.DependentEntry( - label='Active Trust', + label='Active Trust domain', key=keys[0], - dependent=result['result'][0]['cn'][0]) + dependent=trust_domains[0].dn[0].value) + return dn -- 1.8.5.3