Petr Viktorin wrote:
On 07/19/2012 03:07 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 07/17/2012 08:52 PM, Rob Crittenden wrote:
When determining whether a member is direct or indirect we were not
doing a case-insensitive comparison which led to marking a member as
both direct and indirect (in a test case no less).

This patch fixes the comparison and the test.


When comparing DNs, you should use the DN class, not string
manipulations: DN(x) instead of x.lower().

How urgent is this? John's DN patch solves this in a much more thorough
way, maybe it'd be better to just wait for that.

The problem is we're currently reporting incorrect membership. I figured
this would be a short-term fix unless you think the DN patch commit is


Okay. Still it makes sense to do the right thing, DN(x) instead of

Ok. We can hold onto this patch until we get a better feeling on when the DN work will be committed. If it looks to be a while we can commit this as a short-term solution, otherwise it'll just get dropped.


>From c03329d6ea7b5ddda917bca64a6f085efe9e6a95 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Tue, 17 Jul 2012 14:48:47 -0400
Subject: [PATCH] Fix case sensitivity problem when comparing indirect group

When determining whether a member is direct or indirect the case of
the DN should not be considered.

Fix a bad test associated with this as well.
 ipaserver/plugins/                  |    2 +-
 tests/test_xmlrpc/ |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/ b/ipaserver/plugins/
index 6a3d2164ef9954f2cd5bace8cf75ee8ac5d7d82c..4eb49c0b1c951ec21871ccc8ce0a8ccc62a0e17d 100644
--- a/ipaserver/plugins/
+++ b/ipaserver/plugins/
@@ -1172,7 +1172,7 @@ class ldap2(CrudBackend, Encoder):
         entries = []
         for e in results:
-            if unicode(e[0]) not in real_members and unicode(e[0]) not in entries:
+            if unicode(e[0].lower()) not in (member.lower() for member in real_members) and unicode(e[0].lower()) not in (entry.lower() for entry in entries):
                 if membertype == MEMBERS_INDIRECT:
diff --git a/tests/test_xmlrpc/ b/tests/test_xmlrpc/
index 8aaa4a99990241a78c15f094ad6ae80beb48aec3..6589904ba4660d84fa25a800f99e4b170a3e964a 100644
--- a/tests/test_xmlrpc/
+++ b/tests/test_xmlrpc/
@@ -475,7 +475,7 @@ class test_permission(Declarative):
                         'permissions' : [u'write'],
                         'attrs': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'],
                         'subtree' : u'ldap:///ipauniqueid=*,cn=hbac,%s' % api.env.basedn,
-                        'memberindirect': [u'cn=hbac administrator,cn=privileges,cn=pbac,%s' % api.env.basedn, u'cn=it security specialist,cn=roles,cn=accounts,%s' % api.env.basedn],
+                        'memberindirect': [u'cn=it security specialist,cn=roles,cn=accounts,%s' % api.env.basedn],

Freeipa-devel mailing list

Reply via email to