Re: [Freeipa-devel] [PATCH] 445 hbactest does not work for external users

Fri, 10 Jan 2014 03:55:55 -0800 

On Fri, 10 Jan 2014, Martin Kosek wrote:

Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.

https://fedorahosted.org/freeipa/ticket/3803

----

This is a follow up to failed verification in
https://bugzilla.redhat.com/show_bug.cgi?id=1032668

Martin



From 829e1359e6868af51156da00b0e8e3861828c7be Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 10 Jan 2014 12:41:29 +0100
Subject: [PATCH] hbactest does not work for external users

Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.

https://fedorahosted.org/freeipa/ticket/3803
---
ipalib/plugins/hbactest.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index 
fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6
 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -400,14 +400,16 @@ def execute(self, *args, **options):
                ldap = self.api.Backend.ldap2
                group_container = DN(api.env.container_group, api.env.basedn)
                try:
-                    entries, truncated = ldap.find_entries(filter_sids, 
['cn'], group_container)
+                    entries, truncated = ldap.find_entries(filter_sids, 
['memberof'], group_container)
                except errors.NotFound:
                    request.user.groups = []
                else:
                    groups = []
                    for dn, entry in entries:
-                        if dn.endswith(group_container):
-                            groups.append(dn[0][0].value)
+                        memberof_dns = entry.get('memberof', [])
+                        for memberof_dn in memberof_dns:
+                            if memberof_dn.endswith(group_container):
+                                groups.append(memberof_dn[0][0].value)
                    request.user.groups = sorted(set(groups))
            else:
                # try searching for a local user

ACK.

Indeed, when verifying groups we need to take their nestedness into
account because AD users and groups are mapped through two-tier groups.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to