182dca3 principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)

1 file Authored by twoerner 9 months ago, Committed by frenaud 9 months ago,
    principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)
    
    The current filter in principal_has_privilege is only working for normal
    IPA users where krbprincipalname is matching the principal. An idoverride
    user (for example from AD) is not found with this filter.
    
    A new filter for the principal as an ipaOriginalUid has been added as a
    second try if a match with krbprincipalname was not found.
    
    principal_has_privilege is used in the replica connection check. The
    additional check enables to deploy replicas using an AD user/administrator
    that has been added to the "admins" group.
    
    Fixes: https://pagure.io/freeipa/issue/9542
    
    Signed-off-by: Thomas Woerner <twoerner@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>