principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)
The current filter in principal_has_privilege is only working for normal
IPA users where krbprincipalname is matching the principal. An idoverride
user (for example from AD) is not found with this filter.
A new filter for the principal as an ipaOriginalUid has been added as a
second try if a match with krbprincipalname was not found.
principal_has_privilege is used in the replica connection check. The
additional check enables to deploy replicas using an AD user/administrator
that has been added to the "admins" group.
Fixes: https://pagure.io/freeipa/issue/9542
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>