diff options
| author | Martin Kosek <mkosek@redhat.com> | 2014-01-10 12:41:29 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-01-10 12:55:44 +0100 |
| commit | faa820f39e2f632d5333ea6124c9cb190e69f728 (patch) | |
| tree | 985ed4964c8f858d7761888f28215e3ec9fec187 | |
| parent | 554d43d6891990fc6088ba6901ce78ff318290f0 (diff) | |
| download | freeipa-faa820f39e2f632d5333ea6124c9cb190e69f728.tar.gz freeipa-faa820f39e2f632d5333ea6124c9cb190e69f728.tar.xz freeipa-faa820f39e2f632d5333ea6124c9cb190e69f728.zip | |
hbactest does not work for external users
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.
https://fedorahosted.org/freeipa/ticket/3803
| -rw-r--r-- | ipalib/plugins/hbactest.py | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index fed39b05..cc18890c 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -400,14 +400,16 @@ class hbactest(Command): ldap = self.api.Backend.ldap2 group_container = DN(api.env.container_group, api.env.basedn) try: - entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container) + entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container) except errors.NotFound: request.user.groups = [] else: groups = [] for dn, entry in entries: - if dn.endswith(group_container): - groups.append(dn[0][0].value) + memberof_dns = entry.get('memberof', []) + for memberof_dn in memberof_dns: + if memberof_dn.endswith(group_container): + groups.append(memberof_dn[0][0].value) request.user.groups = sorted(set(groups)) else: # try searching for a local user |