From ac5a35086ec2c57ca36a6b746734add51cdb74dd Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Apr 04 2008 21:41:32 +0000 Subject: Don't allow the admin user to be removed from the admins group. 439281 --- diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py index d96ebb1..4f641f9 100644 --- a/ipa-python/ipaerror.py +++ b/ipa-python/ipaerror.py @@ -173,6 +173,11 @@ INPUT_CANT_INACTIVATE = gen_error_code( 0x0008, "This entry cannot be inactivated.") +INPUT_ADMIN_REQUIRED_IN_ADMINS = gen_error_code( + INPUT_CATEGORY, + 0x0009, + "The admin user cannot be removed from the admins group.") + # # Connection errors # diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 9beb609..b28030c 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -1426,6 +1426,10 @@ class IPAServer: old_group = self.get_entry_by_dn(group_dn, None, opts) if old_group is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + if old_group.get('cn') == "admins": + member = self.get_entry_by_dn(member_dn, ['dn','uid'], opts) + if member.get('uid') == "admin": + raise ipaerror.gen_exception(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS) new_group = copy.deepcopy(old_group) if new_group.get('member') is not None: @@ -1475,6 +1479,9 @@ class IPAServer: except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER): # not a member of the group failed.append(member_dn) + except ipaerror.exception_for(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS): + # Can't remove admin from admins group + failed.append(member_dn) return failed @@ -1612,6 +1619,9 @@ class IPAServer: except ipaerror.exception_for(ipaerror.STATUS_NOT_GROUP_MEMBER): # User is not in the group failed.append(group_dn) + except ipaerror.exception_for(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS): + # Can't remove admin from admins group + failed.append(member_dn) return failed