From 01e98be318caa921302726b48f05166b0ce00f21 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 10 Jan 2014 12:41:29 +0100 Subject: [PATCH] hbactest does not work for external users Original patch for ticket #3803 implemented support to resolve SIDs through SSSD. However, it also broke hbactest for external users. The result of the updated external member group search must be local non-external groups, not the external ones. Otherwise the rule is not matched. https://fedorahosted.org/freeipa/ticket/3803 --- ipalib/plugins/hbactest.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -400,14 +400,16 @@ def execute(self, *args, **options): ldap = self.api.Backend.ldap2 group_container = DN(api.env.container_group, api.env.basedn) try: - entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container) + entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container) except errors.NotFound: request.user.groups = [] else: groups = [] for dn, entry in entries: - if dn.endswith(group_container): - groups.append(dn[0][0].value) + memberof_dns = entry.get('memberof', []) + for memberof_dn in memberof_dns: + if memberof_dn.endswith(group_container): + groups.append(memberof_dn[0][0].value) request.user.groups = sorted(set(groups)) else: # try searching for a local user -- 1.8.4.2