diff options
author | Martin Kosek <mkosek@redhat.com> | 2014-01-10 12:41:29 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-01-10 12:55:52 +0100 |
commit | fdce36ccc13f68e4019064c69ef4f5adf61ef681 (patch) | |
tree | 2422c60b4e70fa578a8f9192648cd56a822139d0 | |
parent | 2273ff1278f0982fe5fef868ab66c6541e596ad0 (diff) | |
download | freeipa.git-fdce36ccc13f68e4019064c69ef4f5adf61ef681.tar.gz freeipa.git-fdce36ccc13f68e4019064c69ef4f5adf61ef681.tar.xz freeipa.git-fdce36ccc13f68e4019064c69ef4f5adf61ef681.zip |
hbactest does not work for external users
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.
https://fedorahosted.org/freeipa/ticket/3803
-rw-r--r-- | ipalib/plugins/hbactest.py | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index fed39b05..cc18890c 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -400,14 +400,16 @@ class hbactest(Command): ldap = self.api.Backend.ldap2 group_container = DN(api.env.container_group, api.env.basedn) try: - entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container) + entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container) except errors.NotFound: request.user.groups = [] else: groups = [] for dn, entry in entries: - if dn.endswith(group_container): - groups.append(dn[0][0].value) + memberof_dns = entry.get('memberof', []) + for memberof_dn in memberof_dns: + if memberof_dn.endswith(group_container): + groups.append(memberof_dn[0][0].value) request.user.groups = sorted(set(groups)) else: # try searching for a local user |