[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range
Alexander Bokovoy
abokovoy at redhat.com
Thu Mar 13 16:11:08 UTC 2014
On Thu, 13 Mar 2014, Tomas Babej wrote:
>>>
>>> Tomas, could you please change the code correspondingly?
>> Sure. Here is the updated patch.
>>
>Slightly improved patch with better control flow. Thanks for the reviews.
>
>--
>Tomas Babej
>Associate Software Engeneer | Red Hat | Identity Management
>RHCE | Brno Site | IRC: tbabej | freeipa.org
>
>From 31362721d8477fc6c44341edd34c3335d881613d Mon Sep 17 00:00:00 2001
>From: Tomas Babej <tbabej at redhat.com>
>Date: Thu, 13 Mar 2014 12:36:17 +0100
>Subject: [PATCH] Prohibit deletion of active subdomain range
>
>Changes the code in the idrange_del method to not only check for
>the root domains that match the SID in the IDRange, but for the
>SIDs of subdomains of trusts as well.
>
>https://fedorahosted.org/freeipa/ticket/4247
>---
> ipalib/plugins/idrange.py | 20 ++++++++++++++++----
> 1 file changed, 16 insertions(+), 4 deletions(-)
>
>diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>index 3a92d9898cc03f517b0f2bb75093eeb741cff646..91d8525dbc0c5a294e3d2782c58ef14af2d5a972 100644
>--- a/ipalib/plugins/idrange.py
>+++ b/ipalib/plugins/idrange.py
>@@ -567,14 +567,26 @@ class idrange_del(LDAPDelete):
> range_sid = old_attrs.get('ipanttrusteddomainsid')
>
> if range_sid is not None:
>+ # Search for trusted domain with SID specified in the ID range entry
> range_sid = range_sid[0]
>- result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
>+ domain_filter=('(&(objectclass=ipaNTTrustedDomain)'
>+ '(ipanttrusteddomainsid=%s))' % range_sid)
>
>- if result['count'] > 0:
>+ try:
>+ (trust_domains, truncated) = ldap.find_entries(
>+ base_dn=DN(api.env.container_trusts, api.env.basedn),
>+ filter=domain_filter)
>+ except errors.NotFound:
>+ pass
>+ else:
>+ # If there's an entry, it means that there's active domain
>+ # of a trust that this range belongs to, so raise a
>+ # DependentEntry error
> raise errors.DependentEntry(
>- label='Active Trust',
>+ label='Active Trust domain',
> key=keys[0],
>- dependent=result['result'][0]['cn'][0])
>+ dependent=trust_domains[0].dn[0].value)
>+
>
> return dn
>
ACK now.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list