freeipa

Clone
Source Code
GIT

#7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
Closed: fixed 3 years ago by rcritten. Opened 6 years ago by abbra.

Closed: fixed
Reopen Issue

In order to be able to add User ID Overrides as members of IPA groups, their objects should be discoverable by LDAPModMember.get_member_dns(). This method calls 'ldap_obj.get_dn(name)', e.g. passing only a single argument.

This breaks baseidoverride.get_dn() which expects at least '(view, name)' as a key and also options with fallback_to_ldap attribute set to either True or False.

baseidoverride.get_dn() implementation needs to be fixed to assume default trust view in case keys contain a single element. It also needs to survive lack of options (default to False).

A fix is something like this:

diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
index a68b03915..7d0bff3c8 100644
--- a/ipaserver/plugins/idviews.py
+++ b/ipaserver/plugins/idviews.py
@@ -715,8 +715,12 @@ class baseidoverride(LDAPObject):
                 self.backend,
                 self.override_object,
                 keys[-1],
-                fallback_to_ldap=options['fallback_to_ldap']
+                fallback_to_ldap=options.get('fallback_to_ldap', False)
             )
+            if (len(keys[:-1]) == 0 and
+                    self.override_object is 'user' and
+                    anchor.startswith(SID_ANCHOR_PREFIX)):
+                keys = (DEFAULT_TRUST_VIEW_NAME, ) + keys

         keys = keys[:-1] + (anchor, )
         return super(baseidoverride, self).get_dn(*keys, **options)
Edited 6 years ago by abbra

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.6
6 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.6)
6 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)
6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)
6 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)
5 years ago

master:

  • 676774d kdb: handle enterprise principal lookup in AS_REQ
  • 28389fe Add design page for managing IPA resources as a user from a trusted Active Directory forest
  • ecc0a96 support using trust-related operations in the server console
  • 973e0c0 idviews: handle unqualified ID override lookups from Web UI
  • bee4204 Support adding user ID overrides as group and role members
  • 306304b tests: account for ID overrides as members of groups and roles
  • 0ba64b1 Web UI: allow users from trusted Active Directory forest manage IPA
  • 9248d23 ipatests: test that adding Active Directory user to a role makes it an administrator

ipa-4-8:

  • 6abade3 kdb: handle enterprise principal lookup in AS_REQ
  • afe9191 support using trust-related operations in the server console
  • 2ffb4fd idviews: handle unqualified ID override lookups from Web UI
  • 8cce2bb Support adding user ID overrides as group and role members
  • 5e8df37 tests: account for ID overrides as members of groups and roles
  • 99e613e Web UI: allow users from trusted Active Directory forest manage IPA
  • 6b0f8f3 ipatests: test that adding Active Directory user to a role makes it an administrator

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.