Don't allow "ipa pwpolicy-del global_policy".
https://fedorahosted.org/freeipa/ticket/1936
Questions:
Is it possible to disallow deletion of specific objects on LDAP level
instead?
The default HBAC rule, allow_all, can also be deleted - should it be
disallowed too?
Honza
--
Jan Cholasta
>From c2fcc3b479a1cd52da3b8e518060ced69b9e2a46 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <[email protected]>
Date: Tue, 11 Oct 2011 14:28:17 +0200
Subject: [PATCH] Disallow deletion of global password policy.
ticket 1936
---
ipalib/plugins/pwpolicy.py | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index 79ea44d..f261de5 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -366,6 +366,14 @@ class pwpolicy_del(LDAPDelete):
attribute=True, required=True, multivalue=True
)
+ def pre_callback(self, ldap, dn, *keys, **options):
+ if dn.lower() == global_policy_dn.lower():
+ raise errors.ValidationError(
+ name='group',
+ error=_('cannot delete global password policy')
+ )
+ return dn
+
def post_callback(self, ldap, dn, *keys, **options):
try:
self.api.Command.cosentry_del(keys[-1])
--
1.7.7
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
