[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range
Martin Kosek
mkosek at redhat.com
Thu Mar 13 11:52:29 UTC 2014
On 03/13/2014 12:45 PM, Tomas Babej wrote:
> Hi,
>
> Changes the code in the idrange_del method to not only check for
> the root domains that match the SID in the IDRange, but for the
> SIDs of subdomains of trusts as well.
>
> https://fedorahosted.org/freeipa/ticket/4247
This is a very complicated validation procedure IMO. Lot of subcommands, lot of
LDAP searches.
Why can't we do just one LDAP search with
- base api.env.container_trusts
- scope SUB
- filter (&(objectclass=ipaNTTrustedDomain)(ipanttrusteddomainsid=range_sid))
When errors.NotFound is raised, we are OK. When it is not raised, we have a
problem.
Wouldn't it be simpler?
Martin
More information about the Freeipa-devel
mailing list