From d38748d64f5c7fb098b839b3c00a1f812d510d3b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 13 Dec 2013 11:10:28 +0100
Subject: Make sure SYSTEM permissions can be retreived with --all --raw

Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
---
 ipalib/plugins/permission.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'ipalib/plugins/permission.py')

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f3f001b74..bdde3e32e 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -310,8 +310,16 @@ class permission(baseldap.LDAPObject):
 
         if options.get('raw'):
             # Retreive the ACI from LDAP to ensure we get the real thing
-            acientry, acistring = self._get_aci_entry_and_string(entry)
-            entry.single_value['aci'] = acistring
+            try:
+                acientry, acistring = self._get_aci_entry_and_string(entry)
+            except errors.NotFound:
+                if list(entry.get('ipapermissiontype')) == ['SYSTEM']:
+                    # SYSTEM permissions don't have normal ACIs
+                    pass
+                else:
+                    raise
+            else:
+                entry.single_value['aci'] = acistring
 
         if not client_has_capability(options['version'], 'permissions2'):
             # Legacy clients expect some attributes as a single value
-- 
cgit