Don't allow managed groups to have group password policy.

UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.

ticket 160

2 files changed, 19 insertions, 1 deletions

diff --git a/ipalib/errors.py b/ipalib/errors.py
index bce433d2a..79ce42dac 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1095,6 +1095,21 @@ class ManagedGroupError(ExecutionError):
     errno = 4020
     format = _('Deleting a managed group is not allowed. It must be detached first.')
 
+class ManagedPolicyError(ExecutionError):
+    """
+    **4021** Raised when password policy is assigned to a managed group
+
+    For example:
+
+    >>> raise ManagedPolicyError()
+    Traceback (most recent call last):
+      ...
+    ManagedPolicyError: A managed group cannot have a password policy.
+    """
+
+    errno = 4021
+    format = _('A managed group cannot have a password policy.')
+
 class BuiltinError(ExecutionError):
     """
     **4100** Base class for builtin execution errors (*4100 - 4199*).
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index 5e81631f4..893473611 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -115,7 +115,10 @@ class cosentry_add(LDAPCreate):
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         # check for existence of the group
-        self.api.Command.group_show(keys[-1])
+        result = self.api.Command.group_show(keys[-1], all=True)['result']
+        oc = map(lambda x:x.lower(),result['objectclass'])
+        if 'mepmanagedentry' in oc:
+            raise errors.ManagedPolicyError()
         self.obj.check_priority_uniqueness(*keys, **options)
         del entry_attrs['cn']
         return dn