Petr Viktorin wrote:
On 07/19/2012 03:07 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 07/17/2012 08:52 PM, Rob Crittenden wrote:
When determining whether a member is direct or indirect we were not
doing a case-insensitive comparison which led to marking a member as
both direct and indirect (in a test case no less).
This patch fixes the comparison and the test.
rob
When comparing DNs, you should use the DN class, not string
manipulations: DN(x) instead of x.lower().
How urgent is this? John's DN patch solves this in a much more thorough
way, maybe it'd be better to just wait for that.
The problem is we're currently reporting incorrect membership. I figured
this would be a short-term fix unless you think the DN patch commit is
imminent.
rob
Okay. Still it makes sense to do the right thing, DN(x) instead of
x.lower().
Ok. We can hold onto this patch until we get a better feeling on when
the DN work will be committed. If it looks to be a while we can commit
this as a short-term solution, otherwise it'll just get dropped.
rob
>From c03329d6ea7b5ddda917bca64a6f085efe9e6a95 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 17 Jul 2012 14:48:47 -0400
Subject: [PATCH] Fix case sensitivity problem when comparing indirect group
members.
When determining whether a member is direct or indirect the case of
the DN should not be considered.
Fix a bad test associated with this as well.
https://fedorahosted.org/freeipa/ticket/2872
---
ipaserver/plugins/ldap2.py | 2 +-
tests/test_xmlrpc/test_permission_plugin.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 6a3d2164ef9954f2cd5bace8cf75ee8ac5d7d82c..4eb49c0b1c951ec21871ccc8ce0a8ccc62a0e17d 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -1172,7 +1172,7 @@ class ldap2(CrudBackend, Encoder):
entries = []
for e in results:
- if unicode(e[0]) not in real_members and unicode(e[0]) not in entries:
+ if unicode(e[0].lower()) not in (member.lower() for member in real_members) and unicode(e[0].lower()) not in (entry.lower() for entry in entries):
if membertype == MEMBERS_INDIRECT:
entries.append(e[0])
else:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 8aaa4a99990241a78c15f094ad6ae80beb48aec3..6589904ba4660d84fa25a800f99e4b170a3e964a 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -475,7 +475,7 @@ class test_permission(Declarative):
'permissions' : [u'write'],
'attrs': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'],
'subtree' : u'ldap:///ipauniqueid=*,cn=hbac,%s' % api.env.basedn,
- 'memberindirect': [u'cn=hbac administrator,cn=privileges,cn=pbac,%s' % api.env.basedn, u'cn=it security specialist,cn=roles,cn=accounts,%s' % api.env.basedn],
+ 'memberindirect': [u'cn=it security specialist,cn=roles,cn=accounts,%s' % api.env.basedn],
},
],
),
--
1.7.10.2
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
