diff options
-rw-r--r-- | ipa-python/ipaerror.py | 15 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 10 |
2 files changed, 25 insertions, 0 deletions
diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py index 5391b3fd4..2f9a98363 100644 --- a/ipa-python/ipaerror.py +++ b/ipa-python/ipaerror.py @@ -162,3 +162,18 @@ CONNECTION_UNWILLING = gen_error_code( CONNECTION_CATEGORY, 0x0004, "Account inactivated. Server is unwilling to perform.") + +# +# Configuration errors +# +CONFIGURATION_CATEGORY = 0x0004 + +CONFIG_REQUIRED_GROUPS = gen_error_code( + CONFIGURATION_CATEGORY, + 0x0001, + "The admins and editors groups are required.") + +CONFIG_DEFAULT_GROUP = gen_error_code( + CONFIGURATION_CATEGORY, + 0x0002, + "You cannot remove the default users group.") diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index eb87ed065..4741da10d 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -1201,6 +1201,16 @@ class IPAServer: if group is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + # We have 2 special groups, don't allow them to be removed + if "admins" in group.get('cn') or "editors" in group.get('cn'): + raise ipaerror.gen_exception(ipaerror.CONFIG_REQUIRED_GROUPS) + + # Don't allow the default user group to be removed + config=self.get_ipa_config(opts) + default_group = self.get_entry_by_cn(config.get('ipadefaultprimarygroup'), None, opts) + if group_dn == default_group.get('dn'): + raise ipaerror.gen_exception(ipaerror.CONFIG_DEFAULT_GROUP) + conn = self.getConnection(opts) try: res = conn.deleteEntry(group_dn) |