[Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
Fraser Tweedale
ftweedal at redhat.com
Mon Mar 14 04:04:17 UTC 2016
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander
for finding and reporting.
Cheers,
Fraser
-------------- next part --------------
From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 14 Mar 2016 14:49:47 +1100
Subject: [PATCH] caacl: correctly handle full user principal name
The caacl HBAC request is correct when just the username is given,
but the full 'user at REALM' form was not handled correctly.
Fixes: https://fedorahosted.org/freeipa/ticket/5733
---
ipalib/plugins/caacl.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index 64dbec16e11e9fa2a67287b195b4bd1180a379e7..d83c3ce892031a9877fac198eb51961fbd159571 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -61,14 +61,14 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id):
req.targethost.name = ca_ref
req.service.name = profile_id
if principal_type == 'user':
- req.user.name = principal
+ req.user.name = name
elif principal_type == 'host':
req.user.name = name
elif principal_type == 'service':
req.user.name = normalize_principal(principal)
groups = []
if principal_type == 'user':
- user_obj = api.Command.user_show(principal)['result']
+ user_obj = api.Command.user_show(name)['result']
groups = user_obj.get('memberof_group', [])
groups += user_obj.get('memberofindirect_group', [])
elif principal_type == 'host':
--
2.5.0
More information about the Freeipa-devel
mailing list