summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-06-13 14:54:42 -0400
committerEndi S. Dewata <edewata@redhat.com>2011-06-14 15:34:11 +0000
commitc5d8618424de3766db9f104d0873c884b53a4feb (patch)
tree9aa85a0a886585510ca9da751f06638c4daf5ece /ipaserver
parent9f72637b13c2001d1c7e8842f75347f9af74190e (diff)
downloadfreeipa-c5d8618424de3766db9f104d0873c884b53a4feb.zip
freeipa-c5d8618424de3766db9f104d0873c884b53a4feb.tar.gz
freeipa-c5d8618424de3766db9f104d0873c884b53a4feb.tar.xz
Fix indirect member calculation
Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. This also prevents duplicate indirect users and looping on circular membership. ticket https://fedorahosted.org/freeipa/ticket/1273
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/plugins/ldap2.py25
1 files changed, 16 insertions, 9 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index b0a5c2c..e4cc72d 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -943,14 +943,21 @@ class ldap2(CrudBackend, Encoder):
# Verify group membership
results = []
- for member in members:
- try:
- (result, truncated) = self.find_entries(searchfilter, attr_list,
- member, time_limit=time_limit,
- size_limit=size_limit, normalize=normalize)
- results.append(list(result[0]))
- except errors.NotFound:
- pass
+ if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT:
+ checkmembers = copy.deepcopy(members)
+ for member in checkmembers:
+ try:
+ (result, truncated) = self.find_entries(searchfilter,
+ attr_list, member, time_limit=time_limit,
+ size_limit=size_limit, normalize=normalize)
+ results.append(list(result[0]))
+ for m in result[0][1].get('member', []):
+ # This member may contain other members, add it to our
+ # candidate list
+ if m not in checkmembers:
+ checkmembers.append(m)
+ except errors.NotFound:
+ pass
if membertype == MEMBERS_ALL:
entries = []
@@ -969,7 +976,7 @@ class ldap2(CrudBackend, Encoder):
entries = []
for e in results:
- if unicode(e[0]) not in real_members:
+ if unicode(e[0]) not in real_members and unicode(e[0]) not in entries:
if membertype == MEMBERS_INDIRECT:
entries.append(e[0])
else: