From e08f7a9ef3df3c345b4c066f974608ad32b57571 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 18 Mar 2020 15:20:36 +0100 Subject: [PATCH] idviews: prevent applying to a master Custom IDViews should not be applied to IPA master nodes. Add a check enforcing this rule in idview_apply command. Fixes: https://pagure.io/freeipa/issue/5662 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Christian Heimes --- ipaserver/plugins/idviews.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py index 52134860a..018c1f605 100644 --- a/ipaserver/plugins/idviews.py +++ b/ipaserver/plugins/idviews.py @@ -26,6 +26,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption, LDAPRetrieve, global_output_params, + host_is_master, add_missing_object_class) from .hostgroup import get_complete_hostgroup_member_list from ipalib import ( @@ -360,6 +361,16 @@ class baseidview_apply(LDAPQuery): for host in hosts_to_apply: try: + # Check that the host is not a master + # IDView must not be applied to masters + try: + host_is_master(ldap, host) + except errors.ValidationError: + failed['host'].append( + (host, + unicode(_("ID View cannot be applied to IPA master"))) + ) + continue host_dn = api.Object['host'].get_dn_if_exists(host) host_entry = ldap.get_entry(host_dn,