[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range

Alexander Bokovoy abokovoy at redhat.com
Thu Mar 13 11:59:11 UTC 2014 

On Thu, 13 Mar 2014, Tomas Babej wrote:
>Hi,
>
>Changes the code in the idrange_del method to not only check for
>the root domains that match the SID in the IDRange, but for the
>SIDs of subdomains of trusts as well.
>
>https://fedorahosted.org/freeipa/ticket/4247
>
>-- 
>Tomas Babej
>Associate Software Engeneer | Red Hat | Identity Management
>RHCE | Brno Site | IRC: tbabej | freeipa.org
>
>

>>From e8c83773d8164d87d79062931b642df76fc479da Mon Sep 17 00:00:00 2001
>From: Tomas Babej <tbabej at redhat.com>
>Date: Thu, 13 Mar 2014 12:36:17 +0100
>Subject: [PATCH] Prohibit deletion of active subdomain range
>
>Changes the code in the idrange_del method to not only check for
>the root domains that match the SID in the IDRange, but for the
>SIDs of subdomains of trusts as well.
>
>https://fedorahosted.org/freeipa/ticket/4247
>---
> ipalib/plugins/idrange.py | 23 +++++++++++++++++------
> 1 file changed, 17 insertions(+), 6 deletions(-)
>
>diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>index 3a92d9898cc03f517b0f2bb75093eeb741cff646..ff6cdbc94ce479d0d8863cc5dfb1c074e7f3a5ad 100644
>--- a/ipalib/plugins/idrange.py
>+++ b/ipalib/plugins/idrange.py
>@@ -568,13 +568,24 @@ class idrange_del(LDAPDelete):
> 
>         if range_sid is not None:
>             range_sid = range_sid[0]
>-            result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
> 
>-            if result['count'] > 0:
>-                raise errors.DependentEntry(
>-                    label='Active Trust',
>-                    key=keys[0],
>-                    dependent=result['result'][0]['cn'][0])
>+            # We need to check all the subdomains of all trusts, so we iterate
>+            # over all active trusts
>+            active_trusts = api.Command['trust_find']()
>+
>+            for trust in active_trusts['result']:
>+                matching_domains = api.Command['trustdomain_find'](
>+                                       trust['cn'][0],
>+                                       ipanttrusteddomainsid=range_sid
>+                                   )
>+
>+                # If there's a active domain of a trust that this range
>+                # belongs to, raise an DependentEntry error
>+                if matching_domains['count'] > 0:
>+                    raise errors.DependentEntry(
>+                        label='Active Trust domain',
>+                        key=keys[0],
>+                        dependent=matching_domains['result'][0]['cn'][0])
> 
>         return dn

ACK.


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list