diff options
| author | Tomas Babej <tbabej@redhat.com> | 2015-04-29 08:16:13 +0200 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-07-02 13:23:21 +0200 |
| commit | 646253044028b86291430680981a40bef2bff1e6 (patch) | |
| tree | ad3950c9f27df31e04111661aa654776a3357191 /ipaserver | |
| parent | f8d1458fdaedeefac77045d043a0dd5cb9331163 (diff) | |
| download | freeipa-646253044028b86291430680981a40bef2bff1e6.tar.gz freeipa-646253044028b86291430680981a40bef2bff1e6.tar.xz freeipa-646253044028b86291430680981a40bef2bff1e6.zip | |
idviews: Fallback to AD DC LDAP only if specifically allowed
https://fedorahosted.org/freeipa/ticket/4524
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/dcerpc.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 9525c7458..725b2cd90 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -326,12 +326,17 @@ class DomainValidator(object): return entries - def get_trusted_domain_object_sid(self, object_name): + def get_trusted_domain_object_sid(self, object_name, fallback_to_ldap=True): result = pysss_nss_idmap.getsidbyname(object_name) if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]): object_sid = result[object_name][pysss_nss_idmap.SID_KEY] return object_sid + # If fallback to AD DC LDAP is not allowed, bail out + if not fallback_to_ldap: + raise errors.ValidationError(name=_('trusted domain object'), + error= _('SSSD was unable to resolve the object to a valid SID')) + # Else, we are going to contact AD DC LDAP components = normalize_name(object_name) if not ('domain' in components or 'flatname' in components): |