diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-06-13 14:54:42 -0400 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2011-06-14 15:34:11 +0000 |
| commit | c5d8618424de3766db9f104d0873c884b53a4feb (patch) | |
| tree | 9aa85a0a886585510ca9da751f06638c4daf5ece /ipaserver | |
| parent | 9f72637b13c2001d1c7e8842f75347f9af74190e (diff) | |
| download | freeipa-c5d8618424de3766db9f104d0873c884b53a4feb.tar.gz freeipa-c5d8618424de3766db9f104d0873c884b53a4feb.tar.xz freeipa-c5d8618424de3766db9f104d0873c884b53a4feb.zip | |
Fix indirect member calculation
Indirect membership is calculated by looking at each member and pulling
all the memberof out of it. What was missing was doing nested searches
on any members in that member group.
So if group2 was a member of group1 and group3 was a member of group2
we would miss group3 as being an indirect member of group1.
I updated the nesting test to do deeper nested testing. I confirmed
that this test failed with the old code and works with the new.
This also prevents duplicate indirect users and looping on circular
membership.
ticket https://fedorahosted.org/freeipa/ticket/1273
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index b0a5c2c2c..e4cc72de5 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -943,14 +943,21 @@ class ldap2(CrudBackend, Encoder): # Verify group membership results = [] - for member in members: - try: - (result, truncated) = self.find_entries(searchfilter, attr_list, - member, time_limit=time_limit, - size_limit=size_limit, normalize=normalize) - results.append(list(result[0])) - except errors.NotFound: - pass + if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT: + checkmembers = copy.deepcopy(members) + for member in checkmembers: + try: + (result, truncated) = self.find_entries(searchfilter, + attr_list, member, time_limit=time_limit, + size_limit=size_limit, normalize=normalize) + results.append(list(result[0])) + for m in result[0][1].get('member', []): + # This member may contain other members, add it to our + # candidate list + if m not in checkmembers: + checkmembers.append(m) + except errors.NotFound: + pass if membertype == MEMBERS_ALL: entries = [] @@ -969,7 +976,7 @@ class ldap2(CrudBackend, Encoder): entries = [] for e in results: - if unicode(e[0]) not in real_members: + if unicode(e[0]) not in real_members and unicode(e[0]) not in entries: if membertype == MEMBERS_INDIRECT: entries.append(e[0]) else: |