user: handle LDAP auto-bind for whoami case

In LDAP auto-bind situation we will not have a Kerberos principal available, so we should be using a different mechanism to find the object. Since we already have a valid bound LDAP DN, use it as a base DN here and simply require presence of the POSIX account. This will not match 'cn=Directory Manager' but none of the code we have uses LDAP auto-bind as root when calling 'ipa user-find --whoami'. Fixes: https://pagure.io/freeipa/issue/9583 Signed-off-by: Alexander Bokovoy <[email protected]> Reviewed-By: Thomas Woerner <[email protected]> Reviewed-By: Rob Crittenden <[email protected]> Reviewed-By: Rafael Guterres Jeffman <[email protected]>
anodos325 · May 22, 2024 · c325f9c · c325f9c
1 parent 902c8b0
commit c325f9c
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
@@ -938,8 +938,13 @@ def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **option
                                  *keys, **options)
 
         if options.get('whoami'):
+            op_account = getattr(context, 'principal', None)
+            if op_account is None:
+                new_base_dn = DN(ldap.conn.whoami_s()[4:])
+                return ("(objectclass=posixaccount)", new_base_dn, scope)
+
             return ("(&(objectclass=posixaccount)(krbprincipalname=%s))"%\
-                        getattr(context, 'principal'), base_dn, scope)
+                    op_account, base_dn, scope)
 
         preserved = options.get('preserved', False)
         if preserved is None: