From 24f43bc8467f1ded94aec03e00f05138de563ee8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 25 Apr 2008 17:01:31 -0400
Subject: Don't allow the IPA server service principals to be removed.

440282
---
 ipa-server/xmlrpc-server/funcs.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'ipa-server')

diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 74a3030c8..d83fed09e 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1974,6 +1974,9 @@ class IPAServer:
         entry = self.get_entry_by_dn(principal, ['dn', 'objectclass'], opts)
         if entry is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+        dn_list = ldap.explode_dn(entry['dn'].lower())
+        if "cn=kerberos" in dn_list:
+            raise ipaerror.gen_exception(ipaerror.INPUT_SERVICE_PRINCIPAL_REQUIRED)
 
         conn = self.getConnection(opts)
         try:
-- 
cgit