From 01e98be318caa921302726b48f05166b0ce00f21 Mon Sep 17 00:00:00 2001

From: Martin Kosek <mkosek@redhat.com>

Date: Fri, 10 Jan 2014 12:41:29 +0100

Subject: [PATCH] hbactest does not work for external users

Original patch for ticket #3803 implemented support to resolve SIDs

through SSSD. However, it also broke hbactest for external users. The

result of the updated external member group search must be local

non-external groups, not the external ones. Otherwise the rule is not

matched.

https://fedorahosted.org/freeipa/ticket/3803

---

 ipalib/plugins/hbactest.py | 8 +++++---

 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py

index fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6 100644

--- a/ipalib/plugins/hbactest.py

+++ b/ipalib/plugins/hbactest.py

@@ -400,14 +400,16 @@ def execute(self, *args, **options):

                 ldap = self.api.Backend.ldap2

                 group_container = DN(api.env.container_group, api.env.basedn)

                 try:

-                    entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container)

+                    entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container)

                 except errors.NotFound:

                     request.user.groups = []

                 else:

                     groups = []

                     for dn, entry in entries:

-                        if dn.endswith(group_container):

-                            groups.append(dn[0][0].value)

+                        memberof_dns = entry.get('memberof', [])

+                        for memberof_dn in memberof_dns:

+                            if memberof_dn.endswith(group_container):

+                                groups.append(memberof_dn[0][0].value)

                     request.user.groups = sorted(set(groups))

             else:

                 # try searching for a local user

-- 

1.8.4.2