From 9f1c3d06bdb2f6bc0df5749bb994bc2ba9b630f9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 7 Mar 2014 17:18:18 +0100
Subject: permission plugin: Do not fail on non-DN memberof filters

The --memberof logic tried to convert the value of a (memberof=...)
filter to a DN, which failed with filters like (memberof=*).
Do not try to set memberof if the value is not a DN.

A test will be added in a subsequent patch.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipalib/plugins/permission.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'ipalib/plugins/permission.py')

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index cd8981d90..be08b148c 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -306,7 +306,11 @@ class permission(baseldap.LDAPObject):
         for targetfilter in ipapermtargetfilter:
             match = re.match('^\(memberof=(.*)\)$', targetfilter, re.I)
             if match:
-                dn = DN(match.group(1))
+                try:
+                    dn = DN(match.group(1))
+                except ValueError:
+                    # Malformed DN; e.g. (memberof=*)
+                    continue
                 groups_dn = DN(self.api.Object.group.container_dn,
                                 self.api.env.basedn)
                 if dn[1:] == groups_dn[:] and dn[0].attr == 'cn':
-- 
cgit