summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/trust.py
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2015-05-28 08:33:51 +0000
committerAlexander Bokovoy <abokovoy@redhat.com>2015-07-07 10:33:53 +0300
commita797874359544e431bdd96dd11e26f404c578db0 (patch)
tree40ec014adeefad323d316692bc7f056373507375 /ipalib/plugins/trust.py
parent0e252fb1f8455daa87dccbc6dcba61b08570b444 (diff)
downloadfreeipa-a797874359544e431bdd96dd11e26f404c578db0.tar.gz
freeipa-a797874359544e431bdd96dd11e26f404c578db0.tar.xz
freeipa-a797874359544e431bdd96dd11e26f404c578db0.zip
ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out and in unlikely event of empty list of groups treat that as violation of the KDC policy as well. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Diffstat (limited to 'ipalib/plugins/trust.py')
0 files changed, 0 insertions, 0 deletions
generated by cgit (git 2.34.1) at 2024-05-10 19:16:50 +0000