[Freeipa-devel] [PATCH 78] Ticket #2979 - prevent last admin from being disabled
Petr Viktorin
pviktori at redhat.com
Mon Sep 3 11:53:41 UTC 2012
On 08/26/2012 07:19 PM, John Dennis wrote:
> On 08/20/2012 01:37 PM, Petr Viktorin wrote:
>> (Sorry if you're getting this twice; I didn't send it to the list)
>>
>> On 08/16/2012 08:38 PM, John Dennis wrote:
>>>
>>> --
>>> John Dennis <jdennis at redhat.com>
>>>
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>> freeipa-jdennis-0078-Ticket-2979-prevent-last-admin-from-being-disabled.patch
>>>
>>>
>>>
>>> >From c47109c63530e188db76986fdda48c76bf681d10 Mon Sep 17 00:00:00 2001
>>> From: John Dennis<jdennis at redhat.com>
>>> Date: Thu, 16 Aug 2012 20:28:44 -0400
>>> Subject: [PATCH 78] Ticket #2979 - prevent last admin from being
>>> disabled
>>> Content-Type: text/plain; charset="utf-8"
>>> Content-Transfer-Encoding: 8bit
>>>
>>> We prevent the last member of the admin group from being deleted. The
>>> same check needs to be performed when disabling a user.
>>>
>>> Moved the code in del_user to a common subroutine and call it from
>>> both user_del and user_disable. Note, unlike user_del user_disable
>>> does not have a 'pre' callback therefore the check function is called
>>> in user_disable's execute routine.
>>
>> This should also prevent disabling all admins if there's more than one:
>>
>> # ipa user-add admin2 --first=a --last=b
>> -------------------
>> Added user "admin2"
>> -------------------
>> ...
>> # ipa group-add-member admins --user=admin2
>> -------------------------
>> Number of members added 1
>> -------------------------
>> # ipa user-disable admin2
>> ------------------------------
>> Disabled user account "admin2"
>> ------------------------------
>> # ipa user-disable admin
>> ------------------------------
>> Disabled user account "admin"
>> ------------------------------
>> # ipa ping
>> ipa: ERROR: Server is unwilling to perform: Account inactivated. Contact
>> system administrator.
>>
>> Also with one enabled and one disabled admin, it shouldn't be possible
>> to delete the enabled one.
>>
>>
>> Please add some tests; you can extend the ones added in commit f8e7b51.
>
> Good catch with respect to disabled users, thank you.
>
> Reworked patch attached, see patch comments.
>
>
>
>
Works well now, just the error message is incorrect: it mentions only
deleting, not disabling.
$ ipa user-disable admin
ipa: ERROR: admin cannot be deleted because it is the last member of
group admins
--
Petr³
More information about the Freeipa-devel
mailing list