On Fri, 10 Jan 2014, Martin Kosek wrote:
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.
https://fedorahosted.org/freeipa/ticket/3803
----
This is a follow up to failed verification in
https://bugzilla.redhat.com/show_bug.cgi?id=1032668
Martin
From 829e1359e6868af51156da00b0e8e3861828c7be Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 10 Jan 2014 12:41:29 +0100
Subject: [PATCH] hbactest does not work for external users
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.
https://fedorahosted.org/freeipa/ticket/3803
---
ipalib/plugins/hbactest.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index
fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6
100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -400,14 +400,16 @@ def execute(self, *args, **options):
ldap = self.api.Backend.ldap2
group_container = DN(api.env.container_group, api.env.basedn)
try:
- entries, truncated = ldap.find_entries(filter_sids,
['cn'], group_container)
+ entries, truncated = ldap.find_entries(filter_sids,
['memberof'], group_container)
except errors.NotFound:
request.user.groups = []
else:
groups = []
for dn, entry in entries:
- if dn.endswith(group_container):
- groups.append(dn[0][0].value)
+ memberof_dns = entry.get('memberof', [])
+ for memberof_dn in memberof_dns:
+ if memberof_dn.endswith(group_container):
+ groups.append(memberof_dn[0][0].value)
request.user.groups = sorted(set(groups))
else:
# try searching for a local user
ACK.
Indeed, when verifying groups we need to take their nestedness into
account because AD users and groups are mapped through two-tier groups.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel