2 files changed, 16 insertions, 4 deletions

diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py
index 926ad4277..d96ebb1c3 100644
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@@ -237,3 +237,8 @@ STATUS_HAS_NSACCOUNTLOCK = gen_error_code(
         STATUS_CATEGORY,
         0x0003,
         "This entry appears to have the nsAccountLock attribute in it so the Class of Service activation/inactivation will not work. You will need to remove the attribute nsAccountLock for this to work.")
+
+STATUS_NOT_GROUP_MEMBER = gen_error_code(
+        STATUS_CATEGORY,
+        0x0004,
+        "This entry is not a member of the group.")
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 17b6092ad..9beb609aa 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1072,7 +1072,7 @@ class IPAServer:
         group = self.get_entry_by_cn("inactivated", None, opts)
         try:
             self.remove_member_from_group(entry.get('dn'), group.get('dn'), opts)
-        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+        except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER):
             # Perhaps the user is there as a result of group membership
             pass
 
@@ -1431,16 +1431,17 @@ class IPAServer:
         if new_group.get('member') is not None:
             if isinstance(new_group.get('member'),basestring):
                 new_group['member'] = [new_group['member']]
+            for i in range(len(new_group['member'])):
+                new_group['member'][i] = ipaserver.ipaldap.IPAdmin.normalizeDN(new_group['member'][i])
             try:
                 new_group['member'].remove(member_dn)
             except ValueError:
                 # member is not in the group
                 # FIXME: raise more specific error?
-                raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+                raise ipaerror.gen_exception(ipaerror.STATUS_NOT_GROUP_MEMBER)
         else:
             # Nothing to do if the group has no members
-            # FIXME raise SOMETHING?
-            return "Success"
+            raise ipaerror.gen_exception(ipaerror.STATUS_NOT_GROUP_MEMBER)
 
         try:
             ret = self.__update_entry(old_group, new_group, opts)
@@ -1471,6 +1472,9 @@ class IPAServer:
             except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
                 # member_dn or the group does not exist
                 failed.append(member_dn)
+            except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER):
+                # not a member of the group
+                failed.append(member_dn)
 
         return failed
 
@@ -1605,6 +1609,9 @@ class IPAServer:
             except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
                 # User or the group does not exist
                 failed.append(group_dn)
+            except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER):
+                # User is not in the group
+                failed.append(group_dn)
 
         return failed