[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range

Alexander Bokovoy abokovoy at redhat.com
Thu Mar 13 16:11:08 UTC 2014 

On Thu, 13 Mar 2014, Tomas Babej wrote:
>>>
>>> Tomas, could you please change the code correspondingly?
>> Sure. Here is the updated patch.
>>
>Slightly improved patch with better control flow. Thanks for the reviews.
>
>-- 
>Tomas Babej
>Associate Software Engeneer | Red Hat | Identity Management
>RHCE | Brno Site | IRC: tbabej | freeipa.org
>

>From 31362721d8477fc6c44341edd34c3335d881613d Mon Sep 17 00:00:00 2001
>From: Tomas Babej <tbabej at redhat.com>
>Date: Thu, 13 Mar 2014 12:36:17 +0100
>Subject: [PATCH] Prohibit deletion of active subdomain range
>
>Changes the code in the idrange_del method to not only check for
>the root domains that match the SID in the IDRange, but for the
>SIDs of subdomains of trusts as well.
>
>https://fedorahosted.org/freeipa/ticket/4247
>---
> ipalib/plugins/idrange.py | 20 ++++++++++++++++----
> 1 file changed, 16 insertions(+), 4 deletions(-)
>
>diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>index 3a92d9898cc03f517b0f2bb75093eeb741cff646..91d8525dbc0c5a294e3d2782c58ef14af2d5a972 100644
>--- a/ipalib/plugins/idrange.py
>+++ b/ipalib/plugins/idrange.py
>@@ -567,14 +567,26 @@ class idrange_del(LDAPDelete):
>         range_sid = old_attrs.get('ipanttrusteddomainsid')
> 
>         if range_sid is not None:
>+            # Search for trusted domain with SID specified in the ID range entry
>             range_sid = range_sid[0]
>-            result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
>+            domain_filter=('(&(objectclass=ipaNTTrustedDomain)'
>+                           '(ipanttrusteddomainsid=%s))' % range_sid)
> 
>-            if result['count'] > 0:
>+            try:
>+                (trust_domains, truncated) = ldap.find_entries(
>+                    base_dn=DN(api.env.container_trusts, api.env.basedn),
>+                    filter=domain_filter)
>+            except errors.NotFound:
>+                pass
>+            else:
>+                # If there's an entry, it means that there's active domain
>+                # of a trust that this range belongs to, so raise a
>+                # DependentEntry error
>                 raise errors.DependentEntry(
>-                    label='Active Trust',
>+                    label='Active Trust domain',
>                     key=keys[0],
>-                    dependent=result['result'][0]['cn'][0])
>+                    dependent=trust_domains[0].dn[0].value)
>+
> 
>         return dn
> 

ACK now.


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list