2 files changed, 24 insertions, 9 deletions

diff --git a/ipalib/errors.py b/ipalib/errors.py
index c25560b8..1bff2acb 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1627,18 +1627,18 @@ class DependentEntry(ExecutionError):
 
 class LastMemberError(ExecutionError):
     """
-    **4308** Raised when an entry being deleted is last member of a protected group
+    **4308** Raised when an entry being deleted or disabled is last member of a protected group
 
     For example:
     >>> raise LastMemberError(key=u'admin', label=u'group', container=u'admins')
     Traceback (most recent call last):
       ...
-    LastMemberError: admin cannot be deleted because it is the last member of group admins
+    LastMemberError: admin cannot be deleted or disabled because it is the last member of group admins
 
     """
 
     errno = 4308
-    format = _('%(key)s cannot be deleted because it is the last member of %(label)s %(container)s')
+    format = _('%(key)s cannot be deleted or disabled because it is the last member of %(label)s %(container)s')
 
 
 class ProtectedEntryError(ExecutionError):
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 6a7f53fd..c024e855 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -166,6 +166,24 @@ def normalize_principal(principal):
     return unicode('%s@%s' % (user, realm))
 
 
+def check_protected_member(user, protected_group_name=u'admins'):
+    '''
+    Ensure the last enabled member of a protected group cannot be deleted or
+    disabled by raising LastMemberError.
+    '''
+
+    # Get all users in the protected group
+    result = api.Command.user_find(in_group=protected_group_name)
+
+    # Build list of users in the protected group who are enabled
+    result = result['result']
+    enabled_users = [entry['uid'][0] for entry in result if not entry['nsaccountlock']]
+
+    # If the user is the last enabled user raise LastMemberError exception
+    if enabled_users == [user]:
+        raise errors.LastMemberError(key=user, label=_(u'group'),
+            container=protected_group_name)
+
 class user(LDAPObject):
     """
     User object.
@@ -550,11 +568,7 @@ class user_del(LDAPDelete):
 
     def pre_callback(self, ldap, dn, *keys, **options):
         assert isinstance(dn, DN)
-        protected_group_name = u'admins'
-        result = api.Command.group_show(protected_group_name)
-        if result['result'].get('member_user', []) == [keys[-1]]:
-            raise errors.LastMemberError(key=keys[-1], label=_(u'group'),
-                container=protected_group_name)
+        check_protected_member(keys[-1])
         return dn
 
 api.register(user_del)
@@ -686,8 +700,9 @@ class user_disable(LDAPQuery):
     def execute(self, *keys, **options):
         ldap = self.obj.backend
 
-        dn = self.obj.get_dn(*keys, **options)
+        check_protected_member(keys[-1])
 
+        dn = self.obj.get_dn(*keys, **options)
         ldap.deactivate_entry(dn)
 
         return dict(