Don't allow the IPA server service principals to be removed.

440282
2025-02-25 18:55:28 -06:00 · 2008-04-25 17:01:31 -04:00
parent 2bb64e404c
commit 24f43bc846
2 changed files with 8 additions and 0 deletions
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@@ -178,6 +178,11 @@ INPUT_ADMIN_REQUIRED_IN_ADMINS = gen_error_code(
        0x0009,
        "The admin user cannot be removed from the admins group.")

+INPUT_SERVICE_PRINCIPAL_REQUIRED = gen_error_code(
+        INPUT_CATEGORY,
+        0x000A,
+        "You cannot remove IPA server service principals.")
+
 #
 # Connection errors
 #
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1974,6 +1974,9 @@ class IPAServer:
        entry = self.get_entry_by_dn(principal, ['dn', 'objectclass'], opts)
        if entry is None:
            raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+        dn_list = ldap.explode_dn(entry['dn'].lower())
+        if "cn=kerberos" in dn_list:
+            raise ipaerror.gen_exception(ipaerror.INPUT_SERVICE_PRINCIPAL_REQUIRED)

        conn = self.getConnection(opts)
        try: