[Freeipa-devel] [PATCH] 0137 ipasam: remove child domains before removing trust
Martin Kosek
mkosek at redhat.com
Tue Jan 21 11:33:25 UTC 2014
On 01/21/2014 12:06 PM, Sumit Bose wrote:
> On Tue, Jan 21, 2014 at 12:39:32PM +0200, Alexander Bokovoy wrote:
>> On Tue, 21 Jan 2014, Alexander Bokovoy wrote:
>>> On Tue, 21 Jan 2014, Sumit Bose wrote:
>>>> On Mon, Jan 20, 2014 at 04:49:21PM +0200, Alexander Bokovoy wrote:
>>>>> Hi!
>>>>>
>>>>> Make sure we delete child domains before removing the trust itself as
>>>>> LDAP protocol does not allow removing non-leaf objects.
>>>>>
>>>>> This has non-obvious effect -- old code did remove cross-realm
>>>>> principals and then removed trust object. However, for trusts with child
>>>>> domains the trust domain object was not removed as LDAP server prevents
>>>>> removing non-leaf objects. It resulted in the object still existing but
>>>>> cross-realm principals missing. The trust is thus non-functioning. This
>>>>> situation can be triggered with a second 'ipa trust-add' call.
>>>>>
>>>>> Fix the code by removing child domains first and then remove the forest
>>>>> root trusted domain object.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4126
>>>>
>>>> Patch is working as expected. But I would suggest to remove the 'const'
>>> >from the declaration of dn (also in the caller) to avoid compiler
>>>> warnings. As an alternative you can take a different talloc context, but
>>>> using dn here makes sense.
>>> I've removed 'const'. Btw, gcc in F20 is smarter than yours gcc in F18,
>>> it does not issue any warnings in C99 mode for ipa_sam.c :)
>> .. and one more removal of 'const' in the caller to suit gcc < 4.8.2.
>
> ACK
>
> bye,
> Sumit
>
Pushed to master, ipa-3-3.
Martin
More information about the Freeipa-devel
mailing list