idviews: Remove ID overrides for permanently removed users and groups

For IPA users and groups we are able to trigger a removal of any relevant ID overrides in user-del and group-del commands. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
author: Tomas Babej <tbabej@redhat.com> 2015-05-27 16:30:48 +0200
committer: Tomas Babej <tbabej@redhat.com> 2015-07-01 13:06:40 +0200
commit: e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c (patch)
tree: 0a57e879fc6e558135a75b1aeb1bf49814e11065 /ipalib/plugins/user.py
parent: 77b64e60231492b7c009a32bcf0cbdcd5ef9922a (diff)
download: freeipa-e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c.tar.gz
freeipa-e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c.tar.xz
freeipa-e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c.zip
1 files changed, 10 insertions, 5 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index d2404e2ed..0b90519b2 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -31,6 +31,7 @@ from ipalib.plugins.baseuser import baseuser, baseuser_add, baseuser_del, \
     status_baseuser_output_params, baseuser_pwdchars, \
     validate_nsaccountlock, radius_dn2pk, convert_nsaccountlock, split_principal, validate_principal, \
     normalize_principal, fix_addressbook_permission_bindrule
+from ipalib.plugins.idviews import remove_ipaobject_overrides
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
 from ipalib.plugins import baseldap
@@ -620,11 +621,15 @@ class user_del(baseuser_del):
 
         dn = self.obj.get_dn(*keys, **options)
 
-        if (not options.get('preserve', True) or
-                dn.endswith(DN(self.obj.delete_container_dn,
-                               self.api.env.basedn))):
-            # We are going to permanent delete or the user is already in the delete container.
-            # So we issue a true DEL on that entry
+        # We are going to permanent delete or the user is already in the delete container.
+        delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
+        user_from_delete_container = dn.endswith(delete_container)
+
+        if not options.get('preserve', True) or user_from_delete_container:
+            # Remove any ID overrides tied with this user
+            remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
+
+            # Issue a true DEL on that entry
             return super(user_del, self).execute(*keys, **options)
 
         # The user to delete is active and there is no 'no_preserve' option
author	Tomas Babej <tbabej@redhat.com>	2015-05-27 16:30:48 +0200
committer	Tomas Babej <tbabej@redhat.com>	2015-07-01 13:06:40 +0200
commit	e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c (patch)
tree	0a57e879fc6e558135a75b1aeb1bf49814e11065 /ipalib/plugins/user.py
parent	77b64e60231492b7c009a32bcf0cbdcd5ef9922a (diff)
download	freeipa-e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c.tar.gz freeipa-e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c.tar.xz freeipa-e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c.zip