idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors

SID anchors are only resolvable on servers with DCERPC bindings installed. On non agent replica these bindings are not installed and therefore group and role management if there are AD user idoverride members. If there is an ipaUserOverride for the anchor, the ipaoriginaluid is returned. Fixes: https://pagure.io/freeipa/issue/9544 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-12-22 15:13:50 -06:00 · 2024-02-26 14:05:31 +01:00 · 2024-02-26 14:05:31 +01:00 · 9dc57ef77e
commit 9dc57ef77e
parent 47920e78c8
1 changed files with 14 additions and 0 deletions
--- a/ipaserver/plugins/idviews.py
+++ b/ipaserver/plugins/idviews.py
@ -694,6 +694,20 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor):

                if type_correct:
                    return name
+        else:
+            # Without the DCERPC bindings the sid is not resolvable, return
+            # ipaAnchorUUID
+            _dn = DN(("cn", api.packages[0].idviews.DEFAULT_TRUST_VIEW_NAME),
+                     api.env.container_views + api.env.basedn)
+            try:
+                entry = ldap.find_entry_by_attr(attr="ipaanchoruuid",
+                                                value=anchor,
+                                                object_class="ipaUserOverride",
+                                                attrs_list=["ipaoriginaluid"],
+                                                base_dn=_dn)
+                return entry.single_value("ipaoriginaluid")
+            except (errors.EmptyResult, errors.NotFound):
+                pass

    # No acceptable object was found
    raise errors.NotFound(