principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)

The current filter in principal_has_privilege is only working for normal
IPA users where krbprincipalname is matching the principal. An idoverride
user (for example from AD) is not found with this filter.

A new filter for the principal as an ipaOriginalUid has been added as a
second try if a match with krbprincipalname was not found.

principal_has_privilege is used in the replica connection check. The
additional check enables to deploy replicas using an AD user/administrator
that has been added to the "admins" group.

Fixes: https://pagure.io/freeipa/issue/9542

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

ipaserver/plugins/privilege.py

@@ -86,12 +86,32 @@ def validate_permission_to_privilege(api, permission):
 def principal_has_privilege(api, principal, privilege):
     privilege_dn = api.Object.privilege.get_dn(privilege)
     ldap = api.Backend.ldap2
+
+    # First try: Check if there is a principal that has the needed
+    # privilege.
     filter = ldap.make_filter({
         'krbprincipalname': principal,
         'memberof': privilege_dn},
         rules=ldap.MATCH_ALL)
     try:
         ldap.find_entries(base_dn=api.env.basedn, filter=filter)
+        return True
+    except errors.NotFound:
+        pass
+
+    # Second try: Check if there is an idoverride for the principal as
+    # ipaOriginalUid that has the needed privilege.
+    filter = ldap.make_filter(
+        {
+            'objectClass': ['ipaOverrideAnchor', 'nsmemberof'],
+            'ipaOriginalUid': principal,
+            'memberOf': privilege_dn
+        },
+        rules=ldap.MATCH_ALL)
+    _dn = DN(('cn', api.packages[0].idviews.DEFAULT_TRUST_VIEW_NAME),
+             api.env.container_views + api.env.basedn)
+    try:
+        ldap.find_entries(base_dn=_dn, filter=filter)
     except errors.NotFound:
         return False
     return True