IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

adtrust: optimize forest root LDAP filter

Browse Source 
`ipa trust-find' command should only show trusted forest root domains

The child domains should be visible via

   ipa trustdomain-find forest.root

The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.

Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.

Fixes https://fedorahosted.org/freeipa/ticket/5942

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Alexander Bokovoy
2016-06-07 18:54:36 +03:00
committed by Martin Basti
parent 5e5df4abf0
commit 905db92e61
1 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ipaserver/plugins/trust.py
View File

@@ -485,7 +485,7 @@ class trust(LDAPObject):
container_dn = api.env.container_trusts
object_name = _('trust')
object_name_plural = _('trusts')
object_class = ['ipaNTTrustedDomain']
object_class = ['ipaNTTrustedDomain', 'ipaIDObject']
default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid',
'ipanttrusttype', 'ipanttrustattributes',
'ipanttrustdirection', 'ipanttrustpartner',
@@ -577,7 +577,7 @@ class trust(LDAPObject):
if trust_type is None:
ldap = self.backend
trustfilter = ldap.make_filter({
'objectclass': ['ipaNTTrustedDomain'],
'objectclass': ['ipaNTTrustedDomain', 'ipaIDObject'],
'cn': [keys[-1]]},
rules=ldap.MATCH_ALL
)
@@ -1074,9 +1074,7 @@ class trust_find(LDAPSearch):
# search needs to be done on a sub-tree scope
def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
# list only trust, not trust domains
trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))'
filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
return (filter, base_dn, ldap.SCOPE_SUBTREE)
return (filters, base_dn, ldap.SCOPE_SUBTREE)
def execute(self, *args, **options):
result = super(trust_find, self).execute(*args, **options)