IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

trusts: Add conversion from SID to object name

Browse Source 
Since SID is often used as a unique identifier for AD objects, we need to convert
a SID to actual object name in the AD.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Tomas Babej 2014-09-02 14:47:29 +02:00 committed by Martin Kosek
parent 186c161ef5
commit 6a798f144f
1 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
ipaserver/dcerpc.py
View File

@ -57,6 +57,8 @@ import pysss_nss_idmap
import pysss import pysss
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ldap.filter import escape_filter_chars
__doc__ = _(""" __doc__ = _("""
Classes to manage trust joins using DCE-RPC calls Classes to manage trust joins using DCE-RPC calls
@ -350,6 +352,53 @@ class DomainValidator(object):
raise errors.ValidationError(name=_('trusted domain object'), raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a valid SID for the object')) error= _('Trusted domain did not return a valid SID for the object'))
def get_trusted_domain_object_from_sid(self, sid):
root_logger.info("Converting SID to object name: %s" % sid)
# Check if the given SID is valid
if not self.is_trusted_sid_valid(sid):
raise errors.ValidationError(name='sid', error='SID is not valid')
# Use pysss_nss_idmap to obtain the name
result = pysss_nss_idmap.getnamebysid(sid).get(sid)
valid_types = (pysss_nss_idmap.ID_USER,
pysss_nss_idmap.ID_GROUP,
pysss_nss_idmap.ID_BOTH)
if result:
if result.get(pysss_nss_idmap.TYPE_KEY) in valid_types:
return result.get(pysss_nss_idmap.NAME_KEY)
# If unsuccessful, search AD DC LDAP
root_logger.info("Searching AD DC LDAP")
escaped_sid = escape_filter_chars(
security.dom_sid(sid).__ndr_pack__(),
2 # 2 means every character needs to be escaped
)
attrs = ['sAMAccountName']
filter = (r'(&(objectSid=%(sid)s)(|(objectClass=user)(objectClass=group)))'
% dict(sid=escaped_sid)) # sid in binary
domain = self.get_domain_by_sid(sid)
entries = self.get_trusted_domain_objects(domain=domain,
filter=filter,
attrs=attrs)
if len(entries) > 1:
# Treat non-unique entries as invalid
raise errors.ValidationError(name=_('trusted domain object'),
error=_('Trusted domain did not return a unique object'))
object_name = (
"%s@%s" % (entries[0].single_value['sAMAccountName'].lower(),
domain.lower())
)
return unicode(object_name)
def __get_trusted_domain_user_and_groups(self, object_name): def __get_trusted_domain_user_and_groups(self, object_name):
""" """
Returns a tuple with user SID and a list of SIDs of all groups he is Returns a tuple with user SID and a list of SIDs of all groups he is