idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors

SID anchors are only resolvable on servers with DCERPC bindings installed. On non agent replica these bindings are not installed and therefore group and role management if there are AD user idoverride members. If there is an ipaUserOverride for the anchor, the ipaoriginaluid is returned. Fixes: https://pagure.io/freeipa/issue/9544 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
freeipa · May 22, 2024 · 9dc57ef · 9dc57ef
1 parent 47920e7
commit 9dc57ef
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
@@ -694,6 +694,20 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor):
 
                 if type_correct:
                     return name
+        else:
+            # Without the DCERPC bindings the sid is not resolvable, return
+            # ipaAnchorUUID
+            _dn = DN(("cn", api.packages[0].idviews.DEFAULT_TRUST_VIEW_NAME),
+                     api.env.container_views + api.env.basedn)
+            try:
+                entry = ldap.find_entry_by_attr(attr="ipaanchoruuid",
+                                                value=anchor,
+                                                object_class="ipaUserOverride",
+                                                attrs_list=["ipaoriginaluid"],
+                                                base_dn=_dn)
+                return entry.single_value("ipaoriginaluid")
+            except (errors.EmptyResult, errors.NotFound):
+                pass
 
     # No acceptable object was found
     raise errors.NotFound(