diff options
author | Tomas Babej <tbabej@redhat.com> | 2014-09-02 14:47:29 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2014-09-17 14:41:51 +0200 |
commit | fea3b121a2e16d493dbadbc2f32cfeb02bf8919c (patch) | |
tree | fab354c5090a3ed78b509864c489c61046909826 /ipaserver/dcerpc.py | |
parent | f35e212eb5cc6df5bdb03237ac5bcd654bc114b8 (diff) | |
download | freeipa-fea3b121a2e16d493dbadbc2f32cfeb02bf8919c.tar.gz freeipa-fea3b121a2e16d493dbadbc2f32cfeb02bf8919c.tar.xz freeipa-fea3b121a2e16d493dbadbc2f32cfeb02bf8919c.zip |
trusts: Add conversion from SID to object name
Diffstat (limited to 'ipaserver/dcerpc.py')
-rw-r--r-- | ipaserver/dcerpc.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3944b19e0..ad5a9a895 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -57,6 +57,8 @@ import pysss_nss_idmap import pysss from ipaplatform.paths import paths +from ldap.filter import escape_filter_chars + __doc__ = _(""" Classes to manage trust joins using DCE-RPC calls @@ -350,6 +352,53 @@ class DomainValidator(object): raise errors.ValidationError(name=_('trusted domain object'), error= _('Trusted domain did not return a valid SID for the object')) + def get_trusted_domain_object_from_sid(self, sid): + root_logger.info("Converting SID to object name: %s" % sid) + + # Check if the given SID is valid + if not self.is_trusted_sid_valid(sid): + raise errors.ValidationError(name='sid', error='SID is not valid') + + # Use pysss_nss_idmap to obtain the name + result = pysss_nss_idmap.getnamebysid(sid).get(sid) + + valid_types = (pysss_nss_idmap.ID_USER, + pysss_nss_idmap.ID_GROUP, + pysss_nss_idmap.ID_BOTH) + + if result: + if result.get('type') in valid_types: + # return result.get('name') + root_logger.error("Found this: %s" % result.get('name')) + + # If unsuccessful, search AD DC LDAP + root_logger.info("Searching AD DC LDAP") + + escaped_sid = escape_filter_chars( + security.dom_sid(sid).__ndr_pack__(), + 2 # 2 means every character needs to be escaped + ) + + attrs = ['sAMAccountName'] + filter = r'(&(objectSid=%(sid)s)(|(objectClass=user)(objectClass=group)))' \ + % dict(sid=escaped_sid) # sid in binary + domain = self.get_domain_by_sid(sid) + + entries = self.get_trusted_domain_objects(domain=domain, + filter=filter, + attrs=attrs) + + if len(entries) > 1: + # Treat non-unique entries as invalid + raise errors.ValidationError(name=_('trusted domain object'), + error= _('Trusted domain did not return a unique object')) + + object_name = (entries[0].single_value.get('sAMAccountName').lower() + + '@' + + domain.lower()) + + return unicode(object_name) + def __get_trusted_domain_user_and_groups(self, object_name): """ Returns a tuple with user SID and a list of SIDs of all groups he is |