On 14/07/15 18:50, Petr Vobornik wrote:
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.
Therefore all searches with filter set fail.
Also I don't think this is a proper fix because any custom ACIs will
cause the bug again. Same issue in
https://fedorahosted.org/freeipa/ticket/5055
https://fedorahosted.org/freeipa/ticket/5130
ACK
Patch that fixes the similar issue with selinuxusermap is attached.
--
Martin Basti
From 298fe540f88f2916129bb643cee0076672a806d4 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Thu, 16 Jul 2015 15:07:05 +0200
Subject: [PATCH] fix selinuxusermap search for non-admin users
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.
Related to https://fedorahosted.org/freeipa/ticket/5130
---
ipalib/plugins/selinuxusermap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 76668b4692d4374fd09a83d6c28cb6cb2b20c958..e1a16af5004a5f4fd01166230ddd586068b6b556 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -143,7 +143,7 @@ class selinuxusermap(LDAPObject):
'cn', 'ipaenabledflag',
'description', 'usercategory', 'hostcategory',
'ipaenabledflag', 'memberuser', 'memberhost',
-'memberhostgroup', 'seealso', 'ipaselinuxuser',
+'seealso', 'ipaselinuxuser',
]
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code