On 01/10/2014 12:54 PM, Alexander Bokovoy wrote: > On Fri, 10 Jan 2014, Martin Kosek wrote: >> Original patch for ticket #3803 implemented support to resolve SIDs >> through SSSD. However, it also broke hbactest for external users. The >> result of the updated external member group search must be local >> non-external groups, not the external ones. Otherwise the rule is not >> matched. >> >> https://fedorahosted.org/freeipa/ticket/3803 >> >> ---- >> >> This is a follow up to failed verification in >> https://bugzilla.redhat.com/show_bug.cgi?id=1032668 >> >> Martin > >> From 829e1359e6868af51156da00b0e8e3861828c7be Mon Sep 17 00:00:00 2001 >> From: Martin Kosek <mko...@redhat.com> >> Date: Fri, 10 Jan 2014 12:41:29 +0100 >> Subject: [PATCH] hbactest does not work for external users >> >> Original patch for ticket #3803 implemented support to resolve SIDs >> through SSSD. However, it also broke hbactest for external users. The >> result of the updated external member group search must be local >> non-external groups, not the external ones. Otherwise the rule is not >> matched. >> >> https://fedorahosted.org/freeipa/ticket/3803 >> --- >> ipalib/plugins/hbactest.py | 8 +++++--- >> 1 file changed, 5 insertions(+), 3 deletions(-) >> >> diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py >> index >> fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6 >> 100644 >> --- a/ipalib/plugins/hbactest.py >> +++ b/ipalib/plugins/hbactest.py >> @@ -400,14 +400,16 @@ def execute(self, *args, **options): >> ldap = self.api.Backend.ldap2 >> group_container = DN(api.env.container_group, api.env.basedn) >> try: >> - entries, truncated = ldap.find_entries(filter_sids, >> ['cn'], group_container) >> + entries, truncated = ldap.find_entries(filter_sids, >> ['memberof'], group_container) >> except errors.NotFound: >> request.user.groups = [] >> else: >> groups = [] >> for dn, entry in entries: >> - if dn.endswith(group_container): >> - groups.append(dn[0][0].value) >> + memberof_dns = entry.get('memberof', []) >> + for memberof_dn in memberof_dns: >> + if memberof_dn.endswith(group_container): >> + groups.append(memberof_dn[0][0].value) >> request.user.groups = sorted(set(groups)) >> else: >> # try searching for a local user > ACK. > > Indeed, when verifying groups we need to take their nestedness into > account because AD users and groups are mapped through two-tier groups. >
Pushed to master, ipa-3-3. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
