|
 |
aa60fb |
From 6f958201dc32a1043c77632fe98c05307a4ea671 Mon Sep 17 00:00:00 2001
|
|
|
aa60fb |
From: Martin Basti <mbasti@redhat.com>
|
|
|
aa60fb |
Date: Mon, 22 Feb 2016 17:36:01 +0100
|
|
|
aa60fb |
Subject: [PATCH] trusts: use ipaNTTrustPartner attribute to detect trust
|
|
|
aa60fb |
entries
|
|
|
aa60fb |
|
|
|
aa60fb |
Trust entries were found by presence of ipaNTSecurityIdentifier
|
|
|
aa60fb |
attribute. Unfortunately this attribute might not be there due the bug.
|
|
|
aa60fb |
As replacement for this, attribute ipaNTTrustPartner can be used.
|
|
|
aa60fb |
|
|
|
aa60fb |
Note: other non trust entries located in cn=trusts subtree can be
|
|
|
aa60fb |
cross-realm principals.
|
|
|
aa60fb |
|
|
|
aa60fb |
https://fedorahosted.org/freeipa/ticket/5665
|
|
|
aa60fb |
|
|
|
aa60fb |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
aa60fb |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
aa60fb |
---
|
|
|
aa60fb |
ipalib/plugins/trust.py | 7 +++++--
|
|
|
aa60fb |
ipaserver/install/plugins/adtrust.py | 2 +-
|
|
|
aa60fb |
2 files changed, 6 insertions(+), 3 deletions(-)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
|
|
|
aa60fb |
index 173463ae7d4134b5bd155cc5fa920bfabd0a6958..ff142591d385e715994f0381c6b23c416763cd03 100644
|
|
|
aa60fb |
--- a/ipalib/plugins/trust.py
|
|
|
aa60fb |
+++ b/ipalib/plugins/trust.py
|
|
|
aa60fb |
@@ -541,7 +541,10 @@ class trust(LDAPObject):
|
|
|
aa60fb |
ldap = self.backend
|
|
|
aa60fb |
filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] },
|
|
|
aa60fb |
rules=ldap.MATCH_ALL)
|
|
|
aa60fb |
- filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL)
|
|
|
aa60fb |
+ # more type of objects can be located in subtree (for example
|
|
|
aa60fb |
+ # cross-realm principals). we need this attr do detect trust
|
|
|
aa60fb |
+ # entries
|
|
|
aa60fb |
+ filter = ldap.combine_filters((filter, "ipaNTTrustPartner=*"), rules=ldap.MATCH_ALL)
|
|
|
aa60fb |
result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
|
|
|
aa60fb |
ldap.SCOPE_SUBTREE, filter, [''])
|
|
|
aa60fb |
if len(result) > 1:
|
|
|
aa60fb |
@@ -996,7 +999,7 @@ class trust_find(LDAPSearch):
|
|
|
aa60fb |
# search needs to be done on a sub-tree scope
|
|
|
aa60fb |
def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
|
|
|
aa60fb |
# list only trust, not trust domains
|
|
|
aa60fb |
- trust_filter = '(ipaNTSecurityIdentifier=*)'
|
|
|
aa60fb |
+ trust_filter = '(ipaNTTrustPartner=*)'
|
|
|
aa60fb |
filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
|
|
|
aa60fb |
return (filter, base_dn, ldap.SCOPE_SUBTREE)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
|
|
|
aa60fb |
index 4990a34f8972a0ffba098642c1ead09f976852e6..ea6de5cefe1dc56fc55cca076643867ecbeb08fe 100644
|
|
|
aa60fb |
--- a/ipaserver/install/plugins/adtrust.py
|
|
|
aa60fb |
+++ b/ipaserver/install/plugins/adtrust.py
|
|
|
aa60fb |
@@ -315,7 +315,7 @@ class update_sids(Updater):
|
|
|
aa60fb |
attrs_list=["cn"],
|
|
|
aa60fb |
# more types of trusts can be stored under cn=trusts, we need
|
|
|
aa60fb |
# the type with ipaNTTrustPartner attribute
|
|
|
aa60fb |
- filter="(!(%s=*))" % attr_name
|
|
|
aa60fb |
+ filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
|
|
|
aa60fb |
)
|
|
|
aa60fb |
except errors.NotFound:
|
|
|
aa60fb |
pass
|
|
|
aa60fb |
--
|
|
|
aa60fb |
2.5.0
|
|
|
aa60fb |
|