summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2014-09-02 14:47:29 +0200
committerTomas Babej <tbabej@redhat.com>2014-09-17 14:41:51 +0200
commitfea3b121a2e16d493dbadbc2f32cfeb02bf8919c (patch)
treefab354c5090a3ed78b509864c489c61046909826
parentf35e212eb5cc6df5bdb03237ac5bcd654bc114b8 (diff)
downloadfreeipa-fea3b121a2e16d493dbadbc2f32cfeb02bf8919c.zip
freeipa-fea3b121a2e16d493dbadbc2f32cfeb02bf8919c.tar.gz
freeipa-fea3b121a2e16d493dbadbc2f32cfeb02bf8919c.tar.xz
trusts: Add conversion from SID to object name
-rw-r--r--ipaserver/dcerpc.py49
1 files changed, 49 insertions, 0 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 3944b19..ad5a9a8 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -57,6 +57,8 @@ import pysss_nss_idmap
import pysss
from ipaplatform.paths import paths
+from ldap.filter import escape_filter_chars
+
__doc__ = _("""
Classes to manage trust joins using DCE-RPC calls
@@ -350,6 +352,53 @@ class DomainValidator(object):
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a valid SID for the object'))
+ def get_trusted_domain_object_from_sid(self, sid):
+ root_logger.info("Converting SID to object name: %s" % sid)
+
+ # Check if the given SID is valid
+ if not self.is_trusted_sid_valid(sid):
+ raise errors.ValidationError(name='sid', error='SID is not valid')
+
+ # Use pysss_nss_idmap to obtain the name
+ result = pysss_nss_idmap.getnamebysid(sid).get(sid)
+
+ valid_types = (pysss_nss_idmap.ID_USER,
+ pysss_nss_idmap.ID_GROUP,
+ pysss_nss_idmap.ID_BOTH)
+
+ if result:
+ if result.get('type') in valid_types:
+ # return result.get('name')
+ root_logger.error("Found this: %s" % result.get('name'))
+
+ # If unsuccessful, search AD DC LDAP
+ root_logger.info("Searching AD DC LDAP")
+
+ escaped_sid = escape_filter_chars(
+ security.dom_sid(sid).__ndr_pack__(),
+ 2 # 2 means every character needs to be escaped
+ )
+
+ attrs = ['sAMAccountName']
+ filter = r'(&(objectSid=%(sid)s)(|(objectClass=user)(objectClass=group)))' \
+ % dict(sid=escaped_sid) # sid in binary
+ domain = self.get_domain_by_sid(sid)
+
+ entries = self.get_trusted_domain_objects(domain=domain,
+ filter=filter,
+ attrs=attrs)
+
+ if len(entries) > 1:
+ # Treat non-unique entries as invalid
+ raise errors.ValidationError(name=_('trusted domain object'),
+ error= _('Trusted domain did not return a unique object'))
+
+ object_name = (entries[0].single_value.get('sAMAccountName').lower() +
+ '@' +
+ domain.lower())
+
+ return unicode(object_name)
+
def __get_trusted_domain_user_and_groups(self, object_name):
"""
Returns a tuple with user SID and a list of SIDs of all groups he is