[Freeipa-devel] [PATCH] 0137 ipasam: remove child domains before removing trust
Sumit Bose
sbose at redhat.com
Tue Jan 21 09:54:49 UTC 2014
On Mon, Jan 20, 2014 at 04:49:21PM +0200, Alexander Bokovoy wrote:
> Hi!
>
> Make sure we delete child domains before removing the trust itself as
> LDAP protocol does not allow removing non-leaf objects.
>
> This has non-obvious effect -- old code did remove cross-realm
> principals and then removed trust object. However, for trusts with child
> domains the trust domain object was not removed as LDAP server prevents
> removing non-leaf objects. It resulted in the object still existing but
> cross-realm principals missing. The trust is thus non-functioning. This
> situation can be triggered with a second 'ipa trust-add' call.
>
> Fix the code by removing child domains first and then remove the forest
> root trusted domain object.
>
> https://fedorahosted.org/freeipa/ticket/4126
Patch is working as expected. But I would suggest to remove the 'const'
from the declaration of dn (also in the caller) to avoid compiler
warnings. As an alternative you can take a different talloc context, but
using dn here makes sense.
bye,
Sumit
More information about the Freeipa-devel
mailing list