[Freeipa-devel] [PATCH] 0137 ipasam: remove child domains before removing trust
Sumit Bose
sbose at redhat.com
Tue Jan 21 11:06:31 UTC 2014
On Tue, Jan 21, 2014 at 12:39:32PM +0200, Alexander Bokovoy wrote:
> On Tue, 21 Jan 2014, Alexander Bokovoy wrote:
> >On Tue, 21 Jan 2014, Sumit Bose wrote:
> >>On Mon, Jan 20, 2014 at 04:49:21PM +0200, Alexander Bokovoy wrote:
> >>>Hi!
> >>>
> >>>Make sure we delete child domains before removing the trust itself as
> >>>LDAP protocol does not allow removing non-leaf objects.
> >>>
> >>>This has non-obvious effect -- old code did remove cross-realm
> >>>principals and then removed trust object. However, for trusts with child
> >>>domains the trust domain object was not removed as LDAP server prevents
> >>>removing non-leaf objects. It resulted in the object still existing but
> >>>cross-realm principals missing. The trust is thus non-functioning. This
> >>>situation can be triggered with a second 'ipa trust-add' call.
> >>>
> >>>Fix the code by removing child domains first and then remove the forest
> >>>root trusted domain object.
> >>>
> >>>https://fedorahosted.org/freeipa/ticket/4126
> >>
> >>Patch is working as expected. But I would suggest to remove the 'const'
> >>from the declaration of dn (also in the caller) to avoid compiler
> >>warnings. As an alternative you can take a different talloc context, but
> >>using dn here makes sense.
> >I've removed 'const'. Btw, gcc in F20 is smarter than yours gcc in F18,
> >it does not issue any warnings in C99 mode for ipa_sam.c :)
> .. and one more removal of 'const' in the caller to suit gcc < 4.8.2.
ACK
bye,
Sumit
>
> --
> / Alexander Bokovoy
More information about the Freeipa-devel
mailing list