From 2f9cbffb6e57ded2d0107f457241f33b17869a96 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jul 19 2019 19:16:16 +0000
Subject: Remove posixAccount from service_find search filter


This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.

This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.

https://pagure.io/freeipa/issue/8013

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>

---

diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index f58fe4b..c118b80 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -889,7 +889,6 @@ class service_find(LDAPSearch):
         assert isinstance(base_dn, DN)
         # lisp style!
         custom_filter = '(&(objectclass=ipaService)' \
-                          '(!(objectClass=posixAccount))' \
                           '(!(|(krbprincipalname=kadmin/*)' \
                               '(krbprincipalname=K/M@*)' \
                               '(krbprincipalname=krbtgt/*))' \