Add check to prevent removal of last KRA

https://pagure.io/freeipa/issue/6538 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-03-08 09:58:38 +01:00
parent fe4489ede2
commit 670f8fb1db
1 changed files with 13 additions and 0 deletions
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -494,6 +494,19 @@ class server_del(LDAPDelete):
                      "without a DNS."), ignore_last_of_role)

        if self.api.Command.ca_is_enabled()['result']:
+            try:
+                vault_config = self.api.Command.vaultconfig_show()['result']
+                kra_servers = vault_config.get('kra_server_server', [])
+            except errors.InvocationError:
+                # KRA is not configured
+                pass
+            else:
+                if kra_servers == [hostname]:
+                    handler(
+                        _("Deleting this server is not allowed as it would "
+                          "leave your installation without a KRA."),
+                        ignore_last_of_role)
+
            ca_servers = ipa_config.get('ca_server_server', [])
            ca_renewal_master = ipa_config.get(
                'ca_renewal_master_server', [])