#7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
Closed: fixed 2 months ago by rcritten. Opened 2 years ago by abbra.

In order to be able to add User ID Overrides as members of IPA groups, their objects should be discoverable by LDAPModMember.get_member_dns(). This method calls 'ldap_obj.get_dn(name)', e.g. passing only a single argument.

This breaks baseidoverride.get_dn() which expects at least '(view, name)' as a key and also options with fallback_to_ldap attribute set to either True or False.

baseidoverride.get_dn() implementation needs to be fixed to assume default trust view in case keys contain a single element. It also needs to survive lack of options (default to False).


A fix is something like this:

diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
index a68b03915..7d0bff3c8 100644
--- a/ipaserver/plugins/idviews.py
+++ b/ipaserver/plugins/idviews.py
@@ -715,8 +715,12 @@ class baseidoverride(LDAPObject):
                 self.backend,
                 self.override_object,
                 keys[-1],
-                fallback_to_ldap=options['fallback_to_ldap']
+                fallback_to_ldap=options.get('fallback_to_ldap', False)
             )
+            if (len(keys[:-1]) == 0 and
+                    self.override_object is 'user' and
+                    anchor.startswith(SID_ANCHOR_PREFIX)):
+                keys = (DEFAULT_TRUST_VIEW_NAME, ) + keys

         keys = keys[:-1] + (anchor, )
         return super(baseidoverride, self).get_dn(*keys, **options)

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.6

2 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.6)

2 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

2 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

2 years ago

master:

  • 676774d kdb: handle enterprise principal lookup in AS_REQ
  • 28389fe Add design page for managing IPA resources as a user from a trusted Active Directory forest
  • ecc0a96 support using trust-related operations in the server console
  • 973e0c0 idviews: handle unqualified ID override lookups from Web UI
  • bee4204 Support adding user ID overrides as group and role members
  • 306304b tests: account for ID overrides as members of groups and roles
  • 0ba64b1 Web UI: allow users from trusted Active Directory forest manage IPA
  • 9248d23 ipatests: test that adding Active Directory user to a role makes it an administrator

ipa-4-8:

  • 6abade3 kdb: handle enterprise principal lookup in AS_REQ
  • afe9191 support using trust-related operations in the server console
  • 2ffb4fd idviews: handle unqualified ID override lookups from Web UI
  • 8cce2bb Support adding user ID overrides as group and role members
  • 5e8df37 tests: account for ID overrides as members of groups and roles
  • 99e613e Web UI: allow users from trusted Active Directory forest manage IPA
  • 6b0f8f3 ipatests: test that adding Active Directory user to a role makes it an administrator

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata