From 37e3bf2a6096ea18f46501bf5f2a51c55e829595 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Jul 2011 10:41:42 -0400
Subject: Disallow direct modifications to enrolledBy.

This fixes a regression.

We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.

https://fedorahosted.org/freeipa/ticket/302
---
 ipaserver/install/ldapupdate.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'ipaserver')

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 2d9c473d2..9a34cf326 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -483,9 +483,9 @@ class LDAPUpdate:
                     # skip this update type, it occurs in  __delete_entries()
                     return None
                 elif utype == 'replace':
-                    # v has the format "old: new"
+                    # v has the format "old:: new"
                     try:
-                        (old, new) = v.split(':', 1)
+                        (old, new) = v.split('::', 1)
                     except ValueError:
                         raise BadSyntax, "bad syntax in replace, needs to be in the format old: new in %s" % v
                     try:
-- 
cgit