permission plugin: Do not fail on non-DN memberof filters

The --memberof logic tried to convert the value of a (memberof=...) filter to a DN, which failed with filters like (memberof=*). Do not try to set memberof if the value is not a DN. A test will be added in a subsequent patch. Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-03-07 17:18:18 +01:00
parent 29eef98c76
commit 9f1c3d06bd
1 changed files with 5 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -306,7 +306,11 @@ class permission(baseldap.LDAPObject):
        for targetfilter in ipapermtargetfilter:
            match = re.match('^\(memberof=(.*)\)$', targetfilter, re.I)
            if match:
-                dn = DN(match.group(1))
+                try:
+                    dn = DN(match.group(1))
+                except ValueError:
+                    # Malformed DN; e.g. (memberof=*)
+                    continue
                groups_dn = DN(self.api.Object.group.container_dn,
                                self.api.env.basedn)
                if dn[1:] == groups_dn[:] and dn[0].attr == 'cn':