summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipa-python/ipaerror.py5
-rw-r--r--ipa-server/xmlrpc-server/funcs.py10
2 files changed, 15 insertions, 0 deletions
diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py
index d96ebb1c3..4f641f984 100644
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@@ -173,6 +173,11 @@ INPUT_CANT_INACTIVATE = gen_error_code(
0x0008,
"This entry cannot be inactivated.")
+INPUT_ADMIN_REQUIRED_IN_ADMINS = gen_error_code(
+ INPUT_CATEGORY,
+ 0x0009,
+ "The admin user cannot be removed from the admins group.")
+
#
# Connection errors
#
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 9beb609aa..b28030c78 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1426,6 +1426,10 @@ class IPAServer:
old_group = self.get_entry_by_dn(group_dn, None, opts)
if old_group is None:
raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+ if old_group.get('cn') == "admins":
+ member = self.get_entry_by_dn(member_dn, ['dn','uid'], opts)
+ if member.get('uid') == "admin":
+ raise ipaerror.gen_exception(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS)
new_group = copy.deepcopy(old_group)
if new_group.get('member') is not None:
@@ -1475,6 +1479,9 @@ class IPAServer:
except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER):
# not a member of the group
failed.append(member_dn)
+ except ipaerror.exception_for(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS):
+ # Can't remove admin from admins group
+ failed.append(member_dn)
return failed
@@ -1612,6 +1619,9 @@ class IPAServer:
except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER):
# User is not in the group
failed.append(group_dn)
+ except ipaerror.exception_for(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS):
+ # Can't remove admin from admins group
+ failed.append(member_dn)
return failed