diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-07 17:18:18 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-03-14 10:14:05 +0100 |
commit | 9f1c3d06bdb2f6bc0df5749bb994bc2ba9b630f9 (patch) | |
tree | c8bb815d42fa36724d2f0bc5d9f60e958a41f5bb /ipalib/plugins/permission.py | |
parent | 29eef98c7609d83b44a653f967cd4cc44b577497 (diff) | |
download | freeipa-9f1c3d06bdb2f6bc0df5749bb994bc2ba9b630f9.tar.gz freeipa-9f1c3d06bdb2f6bc0df5749bb994bc2ba9b630f9.tar.xz freeipa-9f1c3d06bdb2f6bc0df5749bb994bc2ba9b630f9.zip |
permission plugin: Do not fail on non-DN memberof filters
The --memberof logic tried to convert the value of a (memberof=...)
filter to a DN, which failed with filters like (memberof=*).
Do not try to set memberof if the value is not a DN.
A test will be added in a subsequent patch.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r-- | ipalib/plugins/permission.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index cd8981d90..be08b148c 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -306,7 +306,11 @@ class permission(baseldap.LDAPObject): for targetfilter in ipapermtargetfilter: match = re.match('^\(memberof=(.*)\)$', targetfilter, re.I) if match: - dn = DN(match.group(1)) + try: + dn = DN(match.group(1)) + except ValueError: + # Malformed DN; e.g. (memberof=*) + continue groups_dn = DN(self.api.Object.group.container_dn, self.api.env.basedn) if dn[1:] == groups_dn[:] and dn[0].attr == 'cn': |