|
 |
9991ea |
From 01e98be318caa921302726b48f05166b0ce00f21 Mon Sep 17 00:00:00 2001
|
|
|
9991ea |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
9991ea |
Date: Fri, 10 Jan 2014 12:41:29 +0100
|
|
|
9991ea |
Subject: [PATCH] hbactest does not work for external users
|
|
|
9991ea |
|
|
|
9991ea |
Original patch for ticket #3803 implemented support to resolve SIDs
|
|
|
9991ea |
through SSSD. However, it also broke hbactest for external users. The
|
|
|
9991ea |
result of the updated external member group search must be local
|
|
|
9991ea |
non-external groups, not the external ones. Otherwise the rule is not
|
|
|
9991ea |
matched.
|
|
|
9991ea |
|
|
|
9991ea |
https://fedorahosted.org/freeipa/ticket/3803
|
|
|
9991ea |
---
|
|
|
9991ea |
ipalib/plugins/hbactest.py | 8 +++++---
|
|
|
9991ea |
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
9991ea |
|
|
|
9991ea |
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
|
|
|
9991ea |
index fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6 100644
|
|
|
9991ea |
--- a/ipalib/plugins/hbactest.py
|
|
|
9991ea |
+++ b/ipalib/plugins/hbactest.py
|
|
|
9991ea |
@@ -400,14 +400,16 @@ def execute(self, *args, **options):
|
|
|
9991ea |
ldap = self.api.Backend.ldap2
|
|
|
9991ea |
group_container = DN(api.env.container_group, api.env.basedn)
|
|
|
9991ea |
try:
|
|
|
9991ea |
- entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container)
|
|
|
9991ea |
+ entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container)
|
|
|
9991ea |
except errors.NotFound:
|
|
|
9991ea |
request.user.groups = []
|
|
|
9991ea |
else:
|
|
|
9991ea |
groups = []
|
|
|
9991ea |
for dn, entry in entries:
|
|
|
9991ea |
- if dn.endswith(group_container):
|
|
|
9991ea |
- groups.append(dn[0][0].value)
|
|
|
9991ea |
+ memberof_dns = entry.get('memberof', [])
|
|
|
9991ea |
+ for memberof_dn in memberof_dns:
|
|
|
9991ea |
+ if memberof_dn.endswith(group_container):
|
|
|
9991ea |
+ groups.append(memberof_dn[0][0].value)
|
|
|
9991ea |
request.user.groups = sorted(set(groups))
|
|
|
9991ea |
else:
|
|
|
9991ea |
# try searching for a local user
|
|
|
9991ea |
--
|
|
|
9991ea |
1.8.4.2
|
|
|
9991ea |
|