diff options
author | Tomas Babej <tbabej@redhat.com> | 2014-09-02 14:47:29 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 10:42:06 +0200 |
commit | 6a798f144f88996046bce9bf19e771bb5a477bc6 (patch) | |
tree | 150bd896dd583ee7fce4521aa5bd0dec74054b80 | |
parent | 186c161ef573d7b221c01c30f8995683ce13b216 (diff) | |
download | freeipa-6a798f144f88996046bce9bf19e771bb5a477bc6.tar.gz freeipa-6a798f144f88996046bce9bf19e771bb5a477bc6.tar.xz freeipa-6a798f144f88996046bce9bf19e771bb5a477bc6.zip |
trusts: Add conversion from SID to object name
Since SID is often used as a unique identifier for AD objects, we need to convert
a SID to actual object name in the AD.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipaserver/dcerpc.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3944b19e0..caeca3c4a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -57,6 +57,8 @@ import pysss_nss_idmap import pysss from ipaplatform.paths import paths +from ldap.filter import escape_filter_chars + __doc__ = _(""" Classes to manage trust joins using DCE-RPC calls @@ -350,6 +352,53 @@ class DomainValidator(object): raise errors.ValidationError(name=_('trusted domain object'), error= _('Trusted domain did not return a valid SID for the object')) + def get_trusted_domain_object_from_sid(self, sid): + root_logger.info("Converting SID to object name: %s" % sid) + + # Check if the given SID is valid + if not self.is_trusted_sid_valid(sid): + raise errors.ValidationError(name='sid', error='SID is not valid') + + # Use pysss_nss_idmap to obtain the name + result = pysss_nss_idmap.getnamebysid(sid).get(sid) + + valid_types = (pysss_nss_idmap.ID_USER, + pysss_nss_idmap.ID_GROUP, + pysss_nss_idmap.ID_BOTH) + + if result: + if result.get(pysss_nss_idmap.TYPE_KEY) in valid_types: + return result.get(pysss_nss_idmap.NAME_KEY) + + # If unsuccessful, search AD DC LDAP + root_logger.info("Searching AD DC LDAP") + + escaped_sid = escape_filter_chars( + security.dom_sid(sid).__ndr_pack__(), + 2 # 2 means every character needs to be escaped + ) + + attrs = ['sAMAccountName'] + filter = (r'(&(objectSid=%(sid)s)(|(objectClass=user)(objectClass=group)))' + % dict(sid=escaped_sid)) # sid in binary + domain = self.get_domain_by_sid(sid) + + entries = self.get_trusted_domain_objects(domain=domain, + filter=filter, + attrs=attrs) + + if len(entries) > 1: + # Treat non-unique entries as invalid + raise errors.ValidationError(name=_('trusted domain object'), + error=_('Trusted domain did not return a unique object')) + + object_name = ( + "%s@%s" % (entries[0].single_value['sAMAccountName'].lower(), + domain.lower()) + ) + + return unicode(object_name) + def __get_trusted_domain_user_and_groups(self, object_name): """ Returns a tuple with user SID and a list of SIDs of all groups he is |