From 061f7ff331531fa01801fb597feed924de6a2fd7 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 16 Oct 2014 12:40:24 +0200
Subject: Raise better error message for permission added to generated tree

https://fedorahosted.org/freeipa/ticket/4523

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
---
 ipalib/plugins/permission.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'ipalib/plugins/permission.py')

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 9028f0248..43481b9eb 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -972,7 +972,7 @@ class permission_add(baseldap.LDAPCreate):
     def post_callback(self, ldap, dn, entry, *keys, **options):
         try:
             self.obj.add_aci(entry)
-        except Exception:
+        except Exception, e:
             # Adding the ACI failed.
             # We want to be 100% sure the ACI is not there, so try to
             # remove it. (This is a no-op if the ACI was not added.)
@@ -988,6 +988,13 @@ class permission_add(baseldap.LDAPCreate):
                 self.api.Backend['ldap2'].delete_entry(entry)
             except errors.NotFound:
                 pass
+            if isinstance(e, errors.NotFound):
+                # add_aci may raise NotFound if the subtree is only virtual
+                # like cn=compat,SUFFIX and thus passes the LDAP get entry test
+                location = DN(entry.single_value['ipapermlocation'])
+                raise errors.ValidationError(
+                    name='ipapermlocation',
+                    error=_('Cannot store permission ACI to %s') % location)
             # Re-raise original exception
             raise
         self.obj.postprocess_result(entry, options)
-- 
cgit