From 2f9cbffb6e57ded2d0107f457241f33b17869a96 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Jul 19 2019 19:16:16 +0000

Subject: Remove posixAccount from service_find search filter

This will allow cifs principals to be found. They were suppressed

because they include objectclass=posixAccount.

This is a bit of a historical anomaly. This was included in the

filter from the initial commit (though it was person, not

posixAccount). I believe it was a mistake from the beginning but

it wasn't noticed because it didn't cause any obvious issues.

https://pagure.io/freeipa/issue/8013

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>

---

diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py

index f58fe4b..c118b80 100644

--- a/ipaserver/plugins/service.py

+++ b/ipaserver/plugins/service.py

@@ -889,7 +889,6 @@ class service_find(LDAPSearch):

         assert isinstance(base_dn, DN)

         # lisp style!

         custom_filter = '(&(objectclass=ipaService)' \

-                          '(!(objectClass=posixAccount))' \

                           '(!(|(krbprincipalname=kadmin/*)' \

                               '(krbprincipalname=K/M@*)' \

                               '(krbprincipalname=krbtgt/*))' \