Use LDAP search instead of *group_show to check for a group objectclass.

https://fedorahosted.org/freeipa/ticket/3706

ipalib/plugins/host.py

@@ -364,22 +364,24 @@ class host(LDAPObject):
 
         return managed_hosts
 
-    def suppress_netgroup_memberof(self, entry_attrs):
+    def suppress_netgroup_memberof(self, ldap, entry_attrs):
         """
         We don't want to show managed netgroups so remove them from the
         memberofindirect list.
         """
         ng_container = DN(api.env.container_netgroup, api.env.basedn)
-        if 'memberofindirect' in entry_attrs:
+        for member in list(entry_attrs.get('memberofindirect', [])):
-            for member in list(entry_attrs['memberofindirect']):
+            memberdn = DN(member)
-                memberdn = DN(member)
+            if not memberdn.endswith(ng_container):
-                if memberdn.endswith(ng_container):
+                continue
-                    try:
+
-                        netgroup = api.Command['netgroup_show'](memberdn['cn'], all=True)['result']
+            filter = ldap.make_filter({'objectclass': 'mepmanagedentry'})
-                        if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
+            try:
-                            entry_attrs['memberofindirect'].remove(member)
+                ldap.get_entries(memberdn, ldap.SCOPE_BASE, filter, [''])
-                    except errors.NotFound:
+            except errors.NotFound:
-                        pass
+                pass
+            else:
+                entry_attrs['memberofindirect'].remove(member)
 
 api.register(host)
 
@@ -753,7 +755,7 @@ class host_mod(LDAPUpdate):
         if options.get('all', False):
             entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
 
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
 
         convert_sshpubkey_post(ldap, dn, entry_attrs)
 
@@ -832,7 +834,7 @@ class host_find(LDAPSearch):
             set_certificate_attrs(entry_attrs)
             set_kerberos_attrs(entry_attrs, options)
             self.obj.get_password_attributes(ldap, dn, entry_attrs)
-            self.obj.suppress_netgroup_memberof(entry_attrs)
+            self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
             if entry_attrs['has_password']:
                 # If an OTP is set there is no keytab, at least not one
                 # fetched anywhere.
@@ -874,7 +876,7 @@ class host_show(LDAPRetrieve):
         if options.get('all', False):
             entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
 
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
 
         convert_sshpubkey_post(ldap, dn, entry_attrs)
 
@@ -987,7 +989,7 @@ class host_disable(LDAPQuery):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
         return dn
 
 api.register(host_disable)
@@ -1001,7 +1003,7 @@ class host_add_managedby(LDAPAddMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
         return (completed, dn)
 
 api.register(host_add_managedby)
@@ -1015,7 +1017,7 @@ class host_remove_managedby(LDAPRemoveMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
         return (completed, dn)
 
 api.register(host_remove_managedby)

ipalib/plugins/hostgroup.py

@@ -92,23 +92,24 @@ class hostgroup(LDAPObject):
         ),
     )
 
-    def suppress_netgroup_memberof(self, dn, entry_attrs):
+    def suppress_netgroup_memberof(self, ldap, dn, entry_attrs):
         """
         We don't want to show managed netgroups so remove them from the
         memberOf list.
         """
-        if 'memberof' in entry_attrs:
+        hgdn = DN(dn)
-            hgdn = DN(dn)
+        for member in list(entry_attrs.get('memberof', [])):
-            for member in list(entry_attrs['memberof']):
+            ngdn = DN(member)
-                ngdn = DN(member)
+            if ngdn['cn'] != hgdn['cn']:
-                if ngdn['cn'] == hgdn['cn']:
+                continue
-                    try:
+
-                        netgroup = api.Command['netgroup_show'](ngdn['cn'], all=True)['result']
+            filter = ldap.make_filter({'objectclass': 'mepmanagedentry'})
-                        if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
+            try:
-                            entry_attrs['memberof'].remove(member)
+                ldap.get_entries(ngdn, ldap.SCOPE_BASE, filter, [''])
-                            return
+            except errors.NotFound:
-                    except errors.NotFound:
+                pass
-                        pass
+            else:
+                entry_attrs['memberof'].remove(member)
 
 api.register(hostgroup)
 
@@ -146,7 +147,7 @@ class hostgroup_add(LDAPCreate):
         # be sure to ignore it in memberOf
         newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
         entry_from_entry(entry_attrs, newentry)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
 
         return dn
 
@@ -169,7 +170,7 @@ class hostgroup_mod(LDAPUpdate):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return dn
 
 api.register(hostgroup_mod)
@@ -188,7 +189,7 @@ class hostgroup_find(LDAPSearch):
             return truncated
         for entry in entries:
             (dn, entry_attrs) = entry
-            self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+            self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return truncated
 
 api.register(hostgroup_find)
@@ -199,7 +200,7 @@ class hostgroup_show(LDAPRetrieve):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof( dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return dn
 
 api.register(hostgroup_show)
@@ -210,7 +211,7 @@ class hostgroup_add_member(LDAPAddMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return (completed, dn)
 
 api.register(hostgroup_add_member)
@@ -221,7 +222,7 @@ class hostgroup_remove_member(LDAPRemoveMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return (completed, dn)
 
 api.register(hostgroup_remove_member)

ipalib/plugins/pwpolicy.py

@@ -121,7 +121,8 @@ class cosentry_add(LDAPCreate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
         # check for existence of the group
-        result = self.api.Command.group_show(keys[-1], all=True)['result']
+        group_dn = self.api.Object.group.get_dn(keys[-1])
+        result = ldap.get_entry(group_dn, ['objectclass'])
         oc = map(lambda x:x.lower(),result['objectclass'])
         if 'mepmanagedentry' in oc:
             raise errors.ManagedPolicyError()