diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-05-28 08:33:51 +0000 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-08 01:56:52 +0200 |
commit | d3ccfefaa4671776df0743285dd6c7d49f832813 (patch) | |
tree | b4c6fb535c01e9d31dbc689347566ce1dcee2d4d /API.txt | |
parent | 88c10dd9750516f49e6bbfa0246d390b3a10fc91 (diff) | |
download | freeipa-d3ccfefaa4671776df0743285dd6c7d49f832813.tar.gz freeipa-d3ccfefaa4671776df0743285dd6c7d49f832813.tar.xz freeipa-d3ccfefaa4671776df0743285dd6c7d49f832813.zip |
ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Diffstat (limited to 'API.txt')
0 files changed, 0 insertions, 0 deletions