From 905db92e61c2e56f8cce723e9c9d28e7968eccc4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 7 Jun 2016 18:54:36 +0300
Subject: [PATCH] adtrust: optimize forest root LDAP filter

`ipa trust-find' command should only show trusted forest root domains

The child domains should be visible via

   ipa trustdomain-find forest.root

The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.

Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.

Fixes https://fedorahosted.org/freeipa/ticket/5942

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/trust.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 02d2e0e81..932089b68 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -485,7 +485,7 @@ class trust(LDAPObject):
     container_dn = api.env.container_trusts
     object_name = _('trust')
     object_name_plural = _('trusts')
-    object_class = ['ipaNTTrustedDomain']
+    object_class = ['ipaNTTrustedDomain', 'ipaIDObject']
     default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid',
                           'ipanttrusttype', 'ipanttrustattributes',
                           'ipanttrustdirection', 'ipanttrustpartner',
@@ -577,7 +577,7 @@ class trust(LDAPObject):
         if trust_type is None:
             ldap = self.backend
             trustfilter = ldap.make_filter({
-                'objectclass': ['ipaNTTrustedDomain'],
+                'objectclass': ['ipaNTTrustedDomain', 'ipaIDObject'],
                 'cn': [keys[-1]]},
                 rules=ldap.MATCH_ALL
             )
@@ -1074,9 +1074,7 @@ class trust_find(LDAPSearch):
     # search needs to be done on a sub-tree scope
     def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
         # list only trust, not trust domains
-        trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))'
-        filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
-        return (filter, base_dn, ldap.SCOPE_SUBTREE)
+        return (filters, base_dn, ldap.SCOPE_SUBTREE)
 
     def execute(self, *args, **options):
         result = super(trust_find, self).execute(*args, **options)