From 7b5cc3ed83ce9612c095544855d209c2dccf4272 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 19 Jul 2013 17:04:14 +0300
Subject: ipaserver/dcerpc: attempt to resolve SIDs through SSSD first

Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.

https://fedorahosted.org/freeipa/ticket/3803
---
 ipalib/plugins/hbactest.py | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

(limited to 'ipalib/plugins/hbactest.py')

diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index 9cc497c8..fed39b05 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -400,17 +400,14 @@ class hbactest(Command):
                 ldap = self.api.Backend.ldap2
                 group_container = DN(api.env.container_group, api.env.basedn)
                 try:
-                    entries, truncated = ldap.find_entries(filter_sids, ['cn', 'memberOf'], group_container)
+                    entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container)
                 except errors.NotFound:
                     request.user.groups = []
                 else:
                     groups = []
                     for dn, entry in entries:
-                        memberof_dns = entry.get('memberof', [])
-                        for memberof_dn in memberof_dns:
-                            if memberof_dn.endswith(group_container):
-                                # this is a group object
-                                groups.append(memberof_dn[0][0].value)
+                        if dn.endswith(group_container):
+                            groups.append(dn[0][0].value)
                     request.user.groups = sorted(set(groups))
             else:
                 # try searching for a local user
-- 
cgit