diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-19 17:04:14 +0300 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-23 16:24:38 +0300 |
commit | 7b5cc3ed83ce9612c095544855d209c2dccf4272 (patch) | |
tree | f3924efd548ac49809ba9fbc362ede91ea6dd3bb /ipalib | |
parent | 17c7d46c254de8301a1c328155d245631d5c03e4 (diff) | |
download | freeipa.git-7b5cc3ed83ce9612c095544855d209c2dccf4272.tar.gz freeipa.git-7b5cc3ed83ce9612c095544855d209c2dccf4272.tar.xz freeipa.git-7b5cc3ed83ce9612c095544855d209c2dccf4272.zip |
ipaserver/dcerpc: attempt to resolve SIDs through SSSD first
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.
https://fedorahosted.org/freeipa/ticket/3803
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/hbactest.py | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 9cc497c8..fed39b05 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -400,17 +400,14 @@ class hbactest(Command): ldap = self.api.Backend.ldap2 group_container = DN(api.env.container_group, api.env.basedn) try: - entries, truncated = ldap.find_entries(filter_sids, ['cn', 'memberOf'], group_container) + entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container) except errors.NotFound: request.user.groups = [] else: groups = [] for dn, entry in entries: - memberof_dns = entry.get('memberof', []) - for memberof_dn in memberof_dns: - if memberof_dn.endswith(group_container): - # this is a group object - groups.append(memberof_dn[0][0].value) + if dn.endswith(group_container): + groups.append(dn[0][0].value) request.user.groups = sorted(set(groups)) else: # try searching for a local user |