[Freeipa-devel] [PATCH] 445 hbactest does not work for external users

Alexander Bokovoy abokovoy at redhat.com
Fri Jan 10 11:54:37 UTC 2014 

On Fri, 10 Jan 2014, Martin Kosek wrote:
>Original patch for ticket #3803 implemented support to resolve SIDs
>through SSSD. However, it also broke hbactest for external users. The
>result of the updated external member group search must be local
>non-external groups, not the external ones. Otherwise the rule is not
>matched.
>
>https://fedorahosted.org/freeipa/ticket/3803
>
>----
>
>This is a follow up to failed verification in
>https://bugzilla.redhat.com/show_bug.cgi?id=1032668
>
>Martin

>From 829e1359e6868af51156da00b0e8e3861828c7be Mon Sep 17 00:00:00 2001
>From: Martin Kosek <mkosek at redhat.com>
>Date: Fri, 10 Jan 2014 12:41:29 +0100
>Subject: [PATCH] hbactest does not work for external users
>
>Original patch for ticket #3803 implemented support to resolve SIDs
>through SSSD. However, it also broke hbactest for external users. The
>result of the updated external member group search must be local
>non-external groups, not the external ones. Otherwise the rule is not
>matched.
>
>https://fedorahosted.org/freeipa/ticket/3803
>---
> ipalib/plugins/hbactest.py | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
>diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
>index fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6 100644
>--- a/ipalib/plugins/hbactest.py
>+++ b/ipalib/plugins/hbactest.py
>@@ -400,14 +400,16 @@ def execute(self, *args, **options):
>                 ldap = self.api.Backend.ldap2
>                 group_container = DN(api.env.container_group, api.env.basedn)
>                 try:
>-                    entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container)
>+                    entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container)
>                 except errors.NotFound:
>                     request.user.groups = []
>                 else:
>                     groups = []
>                     for dn, entry in entries:
>-                        if dn.endswith(group_container):
>-                            groups.append(dn[0][0].value)
>+                        memberof_dns = entry.get('memberof', [])
>+                        for memberof_dn in memberof_dns:
>+                            if memberof_dn.endswith(group_container):
>+                                groups.append(memberof_dn[0][0].value)
>                     request.user.groups = sorted(set(groups))
>             else:
>                 # try searching for a local user
ACK.

Indeed, when verifying groups we need to take their nestedness into
account because AD users and groups are mapped through two-tier groups.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list