diff options
| -rw-r--r-- | ipa-python/ipaerror.py | 5 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 10 |
2 files changed, 15 insertions, 0 deletions
diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py index d96ebb1c3..4f641f984 100644 --- a/ipa-python/ipaerror.py +++ b/ipa-python/ipaerror.py @@ -173,6 +173,11 @@ INPUT_CANT_INACTIVATE = gen_error_code( 0x0008, "This entry cannot be inactivated.") +INPUT_ADMIN_REQUIRED_IN_ADMINS = gen_error_code( + INPUT_CATEGORY, + 0x0009, + "The admin user cannot be removed from the admins group.") + # # Connection errors # diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 9beb609aa..b28030c78 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -1426,6 +1426,10 @@ class IPAServer: old_group = self.get_entry_by_dn(group_dn, None, opts) if old_group is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + if old_group.get('cn') == "admins": + member = self.get_entry_by_dn(member_dn, ['dn','uid'], opts) + if member.get('uid') == "admin": + raise ipaerror.gen_exception(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS) new_group = copy.deepcopy(old_group) if new_group.get('member') is not None: @@ -1475,6 +1479,9 @@ class IPAServer: except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER): # not a member of the group failed.append(member_dn) + except ipaerror.exception_for(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS): + # Can't remove admin from admins group + failed.append(member_dn) return failed @@ -1612,6 +1619,9 @@ class IPAServer: except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER): # User is not in the group failed.append(group_dn) + except ipaerror.exception_for(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS): + # Can't remove admin from admins group + failed.append(member_dn) return failed |