URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637/head:pr637 git checkout pr637
From 3f92253780de9f553bae3bc2294214a6dbcd6eb3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 22 Mar 2017 13:00:22 +0200 Subject: [PATCH] ldap2: use LDAP whoami operation to retrieve bind DN for current connection For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to find a kerberos data in their LDAP entry. Instead of searching for Kerberos principal use actual DN we are bound to because for get_effective_rights LDAP control we only need the DN itself. Fixes https://pagure.io/freeipa/issue/6797 --- ipaserver/plugins/ldap2.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index def1245..3b1e4da 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -286,12 +286,11 @@ def get_effective_rights(self, dn, attrs_list): assert isinstance(dn, DN) - principal = getattr(context, 'principal') - entry = self.find_entry_by_attr("krbprincipalname", principal, - "krbPrincipalAux", base_dn=self.api.env.basedn) + bind_dn = self.conn.whoami_s()[4:] + sctrl = [ GetEffectiveRightsControl( - True, "dn: {0}".format(entry.dn).encode('utf-8')) + True, "dn: {0}".format(bind_dn).encode('utf-8')) ] self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl) try:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
