2e8eb0f ipasam: allow search of users by user principal name (UPN)

1 file Authored by abbra 3 years ago, Committed by rcritten 3 years ago,
    ipasam: allow search of users by user principal name (UPN)
    
    lookup_name() in Samba may call PASSDB API to search by a UPN (e.g.
    username@suffix). Support this call by detecting '@' in the passed name
    and setting up filter to be
    
      (&(objectClass=ipaNTUserAttrs)(objectClass=krbPrincipalAux)(krbPrincipalName:caseIgnoreIA5Match:=%s))
    
    instead of
    
      (&(objectClass=ipaNTUserAttrs)(uid=%s))
    
    The result of the search would still contain a proper user entry as we
    always have krbPrincipalName in LDAP entries of IPA users. Note that the
    match must be case-insensitive because otherwise krbPrincipalName is
    matched with exact case in the schema. We use the same matching override
    in KDB driver already.
    
    Fixes: https://pagure.io/freeipa/issue/8661
    Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    
        
file modified
+25 -4