permission plugin: Join --type objectclass filters with OR

For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 7394e6282..8c83b1ccc 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -516,6 +516,8 @@ class update_managed_permissions(PostUpdate):
         template = dict(template)
         template.pop('replaces', None)
         template.pop('replaces_system', None)
+        template.pop('replaces_permissions', None)
+        template.pop('replaces_acis', None)
 
         fixup_function = template.pop('fixup_function', None)
         if fixup_function:
@@ -536,8 +538,7 @@ class update_managed_permissions(PostUpdate):
 
         ldap_filter = template.pop('ipapermtargetfilter', None)
         if obj and ldap_filter is None:
-            ldap_filter = ['(objectclass=%s)' % oc
-                           for oc in obj.permission_filter_objectclasses]
+            ldap_filter = [self.api.Object[permission].make_type_filter(obj)]
         entry['ipapermtargetfilter'] = list(ldap_filter or [])
 
         ipapermlocation = template.pop('ipapermlocation', None)