trusts: use ipaNTTrustPartner attribute to detect trust entries

Trust entries were found by presence of ipaNTSecurityIdentifier
attribute. Unfortunately this attribute might not be there due the bug.
As replacement for this, attribute ipaNTTrustPartner can be used.

Note: other non trust entries located in cn=trusts subtree can be
cross-realm principals.

https://fedorahosted.org/freeipa/ticket/5665

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipalib/plugins/trust.py

@@ -563,8 +563,11 @@ class trust(LDAPObject):
                 rules=ldap.MATCH_ALL
             )
 
+            # more type of objects can be located in subtree (for example
+            # cross-realm principals). we need this attr do detect trust
+            # entries
             trustfilter = ldap.combine_filters(
-                (trustfilter, "ipaNTSecurityIdentifier=*"),
+                (trustfilter, "ipaNTTrustPartner=*"),
                 rules=ldap.MATCH_ALL
             )
 
@@ -1036,7 +1039,7 @@ class trust_find(LDAPSearch):
     # search needs to be done on a sub-tree scope
     def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
         # list only trust, not trust domains
-        trust_filter = '(ipaNTSecurityIdentifier=*)'
+        trust_filter = '(ipaNTTrustPartner=*)'
         filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
         return (filter, base_dn, ldap.SCOPE_SUBTREE)
 

ipaserver/install/plugins/adtrust.py

@@ -294,7 +294,7 @@ class update_sids(Updater):
                 attrs_list=["cn"],
                 # more types of trusts can be stored under cn=trusts, we need
                 # the type with ipaNTTrustPartner attribute
-                filter="(!(%s=*))" % attr_name
+                filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
             )
         except errors.NotFound:
             pass