user: handle LDAP auto-bind for whoami case

In LDAP auto-bind situation we will not have a Kerberos principal available, so we should be using a different mechanism to find the object. Since we already have a valid bound LDAP DN, use it as a base DN here and simply require presence of the POSIX account. This will not match 'cn=Directory Manager' but none of the code we have uses LDAP auto-bind as root when calling 'ipa user-find --whoami'. Fixes: https://pagure.io/freeipa/issue/9583 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-12-22 15:13:50 -06:00 · 2024-05-02 08:47:03 +03:00 · 2024-05-02 08:47:03 +03:00 · c325f9c045
commit c325f9c045
parent 902c8b0bae
1 changed files with 6 additions and 1 deletions
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@ -938,8 +938,13 @@ class user_find(baseuser_find):
                                 *keys, **options)

        if options.get('whoami'):
+            op_account = getattr(context, 'principal', None)
+            if op_account is None:
+                new_base_dn = DN(ldap.conn.whoami_s()[4:])
+                return ("(objectclass=posixaccount)", new_base_dn, scope)
+
            return ("(&(objectclass=posixaccount)(krbprincipalname=%s))"%\
-                        getattr(context, 'principal'), base_dn, scope)
+                    op_account, base_dn, scope)

        preserved = options.get('preserved', False)
        if preserved is None: