Make trust objects available to regular users

With global read ACI removed, some of the trust and trustdomain attributes are not available. Make trust plugin resilient to these missing attributes and let it return the available information. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-04-23 14:32:01 +02:00 · 2014-04-23 14:32:01 +02:00 · 5d832c3426
commit 5d832c3426
parent 7eb12f1fb5
1 changed files with 19 additions and 11 deletions
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@ -379,7 +379,7 @@ class trust(LDAPObject):
            ldap = self.backend
            filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] },
                                      rules=ldap.MATCH_ALL)
-            filter = ldap.combine_filters((filter, "ipaNTSIDBlacklistIncoming=*"), rules=ldap.MATCH_ALL)
+            filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL)
            result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
                                      ldap.SCOPE_SUBTREE, filter, [''])
            if len(result) > 1:
@ -762,7 +762,7 @@ class trust_find(LDAPSearch):
    # search needs to be done on a sub-tree scope
    def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
        # list only trust, not trust domains
-        trust_filter = '(ipaNTSIDBlacklistIncoming=*)'
+        trust_filter = '(ipaNTSecurityIdentifier=*)'
        filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
        return (filter, base_dn, ldap.SCOPE_SUBTREE)

@ -772,7 +772,8 @@ class trust_find(LDAPSearch):

        for attrs in entries:
            # Translate ipanttrusttype to trusttype if --raw not used
-            if not options.get('raw', False):
+            trust_type = attrs.get('ipanttrusttype', [None])[0]
+            if not options.get('raw', False) and trust_type is not None:
                attrs['trusttype'] = trust_type_string(attrs['ipanttrusttype'][0])
                del attrs['ipanttrusttype']

@ -791,13 +792,15 @@ class trust_show(LDAPRetrieve):
        # if --raw not used

        if not options.get('raw', False):
-            type_str = trust_type_string(entry_attrs['ipanttrusttype'][0])
-            dir_str = trust_direction_string(entry_attrs['ipanttrustdirection']
-                                                        [0])
-            entry_attrs['trusttype'] = [type_str]
-            entry_attrs['trustdirection'] = [dir_str]
-            del entry_attrs['ipanttrusttype']
-            del entry_attrs['ipanttrustdirection']
+            trust_type = entry_attrs.get('ipanttrusttype', [None])[0]
+            if trust_type is not None:
+                entry_attrs['trusttype'] = trust_type_string(trust_type)
+                del entry_attrs['ipanttrusttype']
+
+            dir_str = entry_attrs.get('ipanttrustdirection', [None])[0]
+            if dir_str is not None:
+                entry_attrs['trustdirection'] = [trust_direction_string(dir_str)]
+                del entry_attrs['ipanttrustdirection']

        return dn

@ -1187,7 +1190,12 @@ class trustdomain_find(LDAPSearch):
        trust_entry = ldap.get_entry(trust_dn)
        for entry in entries:
            sid = entry['ipanttrusteddomainsid'][0]
-            if sid in trust_entry['ipantsidblacklistincoming']:
+
+            blacklist = trust_entry.get('ipantsidblacklistincoming')
+            if blacklist is None:
+                continue
+
+            if sid in blacklist:
                entry['domain_enabled'] = [False]
            else:
                entry['domain_enabled'] = [True]