URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: opened
PR body: """ For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to find a kerberos data in their LDAP entry. Instead of searching for Kerberos principal use actual DN we are bound to because for get_effective_rights LDAP control we only need the DN itself. Fixes https://pagure.io/freeipa/issue/6797 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637/head:pr637 git checkout pr637
From 7201f6dd18014b39d9c96b95ce2f898a55582653 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 22 Mar 2017 13:00:22 +0200 Subject: [PATCH] ldap2: use LDAP whoami operation to retrieve bind DN for current connection For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to find a kerberos data in their LDAP entry. Instead of searching for Kerberos principal use actual DN we are bound to because for get_effective_rights LDAP control we only need the DN itself. Fixes https://pagure.io/freeipa/issue/6797 --- ipaserver/plugins/ldap2.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index def1245..b07b708 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -286,12 +286,16 @@ def get_effective_rights(self, dn, attrs_list): assert isinstance(dn, DN) - principal = getattr(context, 'principal') - entry = self.find_entry_by_attr("krbprincipalname", principal, - "krbPrincipalAux", base_dn=self.api.env.basedn) + bind_dn = None + try: + bind_dn = self.conn.whoami_s()[4:] + finally: + if bind_dn is None: + return None + sctrl = [ GetEffectiveRightsControl( - True, "dn: {0}".format(entry.dn).encode('utf-8')) + True, "dn: {0}".format(bind_dn).encode('utf-8')) ] self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl) try:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code