From 6ead80d9ba6b775a6df3ba76b4d717050311b762 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Jul 16 2015 13:37:24 +0000
Subject: fix hbac rule search for non-admin users


hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.

Therefore all searches with filter set fail.

https://fedorahosted.org/freeipa/ticket/5130

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 34bdc9b..82a52bd 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -124,7 +124,7 @@ class hbacrule(LDAPObject):
         'description', 'usercategory', 'hostcategory',
         'servicecategory', 'ipaenabledflag',
         'memberuser', 'sourcehost', 'memberhost', 'memberservice',
-        'memberhostgroup', 'externalhost',
+        'externalhost',
     ]
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'