diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-05-28 08:33:51 +0000 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2015-07-07 10:33:53 +0300 |
commit | a797874359544e431bdd96dd11e26f404c578db0 (patch) | |
tree | 40ec014adeefad323d316692bc7f056373507375 /ipalib/plugins/trust.py | |
parent | 0e252fb1f8455daa87dccbc6dcba61b08570b444 (diff) | |
download | freeipa-a797874359544e431bdd96dd11e26f404c578db0.tar.gz freeipa-a797874359544e431bdd96dd11e26f404c578db0.tar.xz freeipa-a797874359544e431bdd96dd11e26f404c578db0.zip |
ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out and in unlikely event of empty
list of groups treat that as violation of the KDC policy as well.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Diffstat (limited to 'ipalib/plugins/trust.py')
0 files changed, 0 insertions, 0 deletions