diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-03-19 10:16:49 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-03-19 16:09:09 +0100 |
commit | 35521ad6bb92057d5faefa2059d7d800bebb1af0 (patch) | |
tree | a9a0473fbb2eefada28c6a0adba5004afff82dae /ipalib/plugins/service.py | |
parent | 95df14634663f5ef57875b8ce1e54ca14c111a75 (diff) | |
download | freeipa-35521ad6bb92057d5faefa2059d7d800bebb1af0.tar.gz freeipa-35521ad6bb92057d5faefa2059d7d800bebb1af0.tar.xz freeipa-35521ad6bb92057d5faefa2059d7d800bebb1af0.zip |
Don't allow hosts and services of IPA masters to be disabled.
https://fedorahosted.org/freeipa/ticket/2487
Diffstat (limited to 'ipalib/plugins/service.py')
-rw-r--r-- | ipalib/plugins/service.py | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index e75d71f03..7c563b306 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -200,6 +200,18 @@ def set_certificate_attrs(entry_attrs): entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) +def check_required_principal(ldap, hostname, service): + """ + Raise an error if the host of this prinicipal is an IPA master and one + of the principals required for proper execution. + """ + try: + host_is_master(ldap, hostname) + except errors.ValidationError, e: + service_types = ['HTTP', 'ldap', 'DNS' 'dogtagldap'] + if service in service_types: + raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master')) + class service(LDAPObject): """ Service object. @@ -296,12 +308,7 @@ class service_del(LDAPDelete): # deleted. This is a limited few though. If the user has their own # custom services allow them to manage them. (service, hostname, realm) = split_principal(keys[-1]) - try: - host_is_master(ldap, hostname) - except errors.ValidationError, e: - service_types = ['HTTP', 'ldap', 'DNS' 'dogtagldap'] - if service in service_types: - raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master')) + check_required_principal(ldap, hostname, service) if self.api.env.enable_ra: (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) cert = entry_attrs.get('usercertificate') @@ -465,6 +472,9 @@ class service_disable(LDAPQuery): dn = self.obj.get_dn(*keys, **options) (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) + (service, hostname, realm) = split_principal(keys[-1]) + check_required_principal(ldap, hostname, service) + # See if we do any work at all here and if not raise an exception done_work = False |