Blob Blame History Raw
From 6f958201dc32a1043c77632fe98c05307a4ea671 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Mon, 22 Feb 2016 17:36:01 +0100
Subject: [PATCH] trusts: use ipaNTTrustPartner attribute to detect trust
 entries

Trust entries were found by presence of ipaNTSecurityIdentifier
attribute. Unfortunately this attribute might not be there due the bug.
As replacement for this, attribute ipaNTTrustPartner can be used.

Note: other non trust entries located in cn=trusts subtree can be
cross-realm principals.

https://fedorahosted.org/freeipa/ticket/5665

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipalib/plugins/trust.py              | 7 +++++--
 ipaserver/install/plugins/adtrust.py | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 173463ae7d4134b5bd155cc5fa920bfabd0a6958..ff142591d385e715994f0381c6b23c416763cd03 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -541,7 +541,10 @@ class trust(LDAPObject):
             ldap = self.backend
             filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] },
                                       rules=ldap.MATCH_ALL)
-            filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL)
+            # more type of objects can be located in subtree (for example
+            # cross-realm principals). we need this attr do detect trust
+            # entries
+            filter = ldap.combine_filters((filter, "ipaNTTrustPartner=*"), rules=ldap.MATCH_ALL)
             result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
                                       ldap.SCOPE_SUBTREE, filter, [''])
             if len(result) > 1:
@@ -996,7 +999,7 @@ class trust_find(LDAPSearch):
     # search needs to be done on a sub-tree scope
     def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
         # list only trust, not trust domains
-        trust_filter = '(ipaNTSecurityIdentifier=*)'
+        trust_filter = '(ipaNTTrustPartner=*)'
         filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
         return (filter, base_dn, ldap.SCOPE_SUBTREE)
 
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 4990a34f8972a0ffba098642c1ead09f976852e6..ea6de5cefe1dc56fc55cca076643867ecbeb08fe 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -315,7 +315,7 @@ class update_sids(Updater):
                 attrs_list=["cn"],
                 # more types of trusts can be stored under cn=trusts, we need
                 # the type with ipaNTTrustPartner attribute
-                filter="(!(%s=*))" % attr_name
+                filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
             )
         except errors.NotFound:
             pass
-- 
2.5.0