From b68ce0313c9ff31354d2be621079522886f556e3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 8 Nov 2011 17:04:26 -0500
Subject: Don't allow default objectclass list to be empty.

https://fedorahosted.org/freeipa/ticket/1945
---
 ipalib/plugins/config.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'ipalib')

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 9bed5d823..332eea104 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -220,6 +220,9 @@ class config_mod(LDAPUpdate):
         for (attr, obj) in (('ipauserobjectclasses', 'user'),
                             ('ipagroupobjectclasses', 'group')):
             if attr in entry_attrs:
+                if not entry_attrs[attr]:
+                    raise errors.ValidationError(name=attr,
+                        error=_('May not be empty'))
                 objectclasses = list(set(entry_attrs[attr] \
                                          + self.api.Object[obj].possible_objectclasses))
                 new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
-- 
cgit