From c325f9c045787a4c4e18096e23cb2f84f514b28e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 2 May 2024 08:47:03 +0300
Subject: [PATCH] user: handle LDAP auto-bind for whoami case

In LDAP auto-bind situation we will not have a Kerberos principal
available, so we should be using a different mechanism to find the
object. Since we already have a valid bound LDAP DN, use it as a base DN
here and simply require presence of the POSIX account.

This will not match 'cn=Directory Manager' but none of the code we have
uses LDAP auto-bind as root when calling 'ipa user-find --whoami'.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
 ipaserver/plugins/user.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 2aa5eabaa..a3e9c2903 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -938,8 +938,13 @@ class user_find(baseuser_find):
                                  *keys, **options)
 
         if options.get('whoami'):
+            op_account = getattr(context, 'principal', None)
+            if op_account is None:
+                new_base_dn = DN(ldap.conn.whoami_s()[4:])
+                return ("(objectclass=posixaccount)", new_base_dn, scope)
+
             return ("(&(objectclass=posixaccount)(krbprincipalname=%s))"%\
-                        getattr(context, 'principal'), base_dn, scope)
+                    op_account, base_dn, scope)
 
         preserved = options.get('preserved', False)
         if preserved is None: