From 90ca7d4167d25f50b36322a817f1f62930a7ea58 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Apr 20 2016 16:07:19 +0000
Subject: caacl: correctly handle full user principal name


The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.

Fixes: https://fedorahosted.org/freeipa/ticket/5733
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index 64dbec1..d83c3ce 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -61,14 +61,14 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id):
     req.targethost.name = ca_ref
     req.service.name = profile_id
     if principal_type == 'user':
-        req.user.name = principal
+        req.user.name = name
     elif principal_type == 'host':
         req.user.name = name
     elif principal_type == 'service':
         req.user.name = normalize_principal(principal)
     groups = []
     if principal_type == 'user':
-        user_obj = api.Command.user_show(principal)['result']
+        user_obj = api.Command.user_show(name)['result']
         groups = user_obj.get('memberof_group', [])
         groups += user_obj.get('memberofindirect_group', [])
     elif principal_type == 'host':