From 1288763da61ba9e0c9bd345487a3e645c58284df Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Wed, 22 Mar 2017 13:00:22 +0200

Subject: [PATCH] ldap2: use LDAP whoami operation to retrieve bind DN for

 current connection

For external users which are mapped to some DN in LDAP server, we

wouldn't neccesary be able to find a kerberos data in their LDAP entry.

Instead of searching for Kerberos principal use actual DN we are bound

to because for get_effective_rights LDAP control we only need the DN

itself.

Fixes https://pagure.io/freeipa/issue/6797

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>

---

 ipaserver/plugins/ldap2.py | 7 +++----

 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py

index def124530cc863e6924c7b6f1f48c236323019a9..3b1e4da57a8e16e3d9b27eea24025de2caa53216 100644

--- a/ipaserver/plugins/ldap2.py

+++ b/ipaserver/plugins/ldap2.py

@@ -286,12 +286,11 @@ class ldap2(CrudBackend, LDAPClient):

         assert isinstance(dn, DN)

-        principal = getattr(context, 'principal')

-        entry = self.find_entry_by_attr("krbprincipalname", principal,

-            "krbPrincipalAux", base_dn=self.api.env.basedn)

+        bind_dn = self.conn.whoami_s()[4:]

+

         sctrl = [

             GetEffectiveRightsControl(

-                True, "dn: {0}".format(entry.dn).encode('utf-8'))

+                True, "dn: {0}".format(bind_dn).encode('utf-8'))

         ]

         self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)

         try:

-- 

2.12.1