mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ldap2: use LDAP whoami operation to retrieve bind DN for current connection
For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to find a kerberos data in their LDAP entry. Instead of searching for Kerberos principal use actual DN we are bound to because for get_effective_rights LDAP control we only need the DN itself. Fixes https://pagure.io/freeipa/issue/6797 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This commit is contained in:
parent
9939aa5363
commit
7324451834
@ -286,12 +286,11 @@ class ldap2(CrudBackend, LDAPClient):
|
||||
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
principal = getattr(context, 'principal')
|
||||
entry = self.find_entry_by_attr("krbprincipalname", principal,
|
||||
"krbPrincipalAux", base_dn=self.api.env.basedn)
|
||||
bind_dn = self.conn.whoami_s()[4:]
|
||||
|
||||
sctrl = [
|
||||
GetEffectiveRightsControl(
|
||||
True, "dn: {0}".format(entry.dn).encode('utf-8'))
|
||||
True, "dn: {0}".format(bind_dn).encode('utf-8'))
|
||||
]
|
||||
self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
|
||||
try:
|
||||
|
Loading…
Reference in New Issue
Block a user