On 14/07/15 18:50, Petr Vobornik wrote:
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.

Therefore all searches with filter set fail.

Also I don't think this is a proper fix because any custom ACIs will cause the bug again. Same issue in https://fedorahosted.org/freeipa/ticket/5055

https://fedorahosted.org/freeipa/ticket/5130


ACK

Patch that fixes the similar issue with selinuxusermap is attached.

--
Martin Basti

From 298fe540f88f2916129bb643cee0076672a806d4 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 16 Jul 2015 15:07:05 +0200
Subject: [PATCH] fix selinuxusermap search for non-admin users

Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.

Related to https://fedorahosted.org/freeipa/ticket/5130
---
 ipalib/plugins/selinuxusermap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 76668b4692d4374fd09a83d6c28cb6cb2b20c958..e1a16af5004a5f4fd01166230ddd586068b6b556 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -143,7 +143,7 @@ class selinuxusermap(LDAPObject):
         'cn', 'ipaenabledflag',
         'description', 'usercategory', 'hostcategory',
         'ipaenabledflag', 'memberuser', 'memberhost',
-        'memberhostgroup', 'seealso', 'ipaselinuxuser',
+        'seealso', 'ipaselinuxuser',
     ]
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to