From 71d886f0713b2c58d8eb57f2267d59cc0be39345 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: May 22 2024 08:03:38 +0000 Subject: config: use context.principal only when it is defined In server-like context we use LDAPI connection with auto-binding to LDAP object based on the UID of the process connecting to LDAPI UNIX domain socket. This means context.principal is not set and we cannot use it. Make sure to reject requests unless we are operating as a Directory Manager in such cases. Fixes: https://pagure.io/freeipa/issue/9583 Signed-off-by: Alexander Bokovoy Reviewed-By: Thomas Woerner Reviewed-By: Rob Crittenden Reviewed-By: Rafael Guterres Jeffman --- diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index db008d0..e2aa5cd 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -516,7 +516,8 @@ class config_mod(LDAPUpdate): def _enable_sid(self, ldap, options): # the user must have the Replication Administrators privilege privilege = 'Replication Administrators' - if not principal_has_privilege(self.api, context.principal, privilege): + op_account = getattr(context, 'principal', None) + if not principal_has_privilege(self.api, op_account, privilege): raise errors.ACIError( info=_("not allowed to enable SID generation"))