diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2017-03-22 13:00:22 +0200 |
---|---|---|
committer | Martin Babinsky <mbabinsk@redhat.com> | 2017-03-22 17:19:22 +0100 |
commit | 7324451834ec03786fda947679f750fe2a72f29c (patch) | |
tree | f066f39cfb79e9e14ede22c99a72d5d2c1bb88d0 | |
parent | 9939aa53630a9c6a66e83140e64ec56539891c13 (diff) | |
download | freeipa-7324451834ec03786fda947679f750fe2a72f29c.tar.gz freeipa-7324451834ec03786fda947679f750fe2a72f29c.tar.xz freeipa-7324451834ec03786fda947679f750fe2a72f29c.zip |
ldap2: use LDAP whoami operation to retrieve bind DN for current connection
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.
Fixes https://pagure.io/freeipa/issue/6797
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
-rw-r--r-- | ipaserver/plugins/ldap2.py | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index def124530..3b1e4da57 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -286,12 +286,11 @@ class ldap2(CrudBackend, LDAPClient): assert isinstance(dn, DN) - principal = getattr(context, 'principal') - entry = self.find_entry_by_attr("krbprincipalname", principal, - "krbPrincipalAux", base_dn=self.api.env.basedn) + bind_dn = self.conn.whoami_s()[4:] + sctrl = [ GetEffectiveRightsControl( - True, "dn: {0}".format(entry.dn).encode('utf-8')) + True, "dn: {0}".format(bind_dn).encode('utf-8')) ] self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl) try: |