diff options
-rw-r--r-- | ipalib/plugins/group.py | 2 | ||||
-rw-r--r-- | ipaserver/dcerpc.py | 27 |
2 files changed, 24 insertions, 5 deletions
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 4994dacb3..06e80931a 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -387,7 +387,7 @@ class group_add_member(LDAPAddMember): try: actual_sid = domain_validator.get_trusted_domain_object_sid(sid) except errors.PublicError, e: - failed_sids.append((sid, unicode(e))) + failed_sids.append((sid, e.strerror)) else: sids.append(actual_sid) restore = [] diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index b471bccee..140e26f77 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -156,10 +156,29 @@ class DomainValidator(object): self.ATTR_TRUST_AUTHOUT]) result = dict() - for entry in entries: - result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(), - security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]), - entry[1][self.ATTR_TRUST_AUTHOUT][0]) + for dn, entry in entries: + try: + trust_partner = entry[self.ATTR_TRUST_PARTNER][0] + flatname_normalized = entry[self.ATTR_FLATNAME][0].lower() + trusted_sid = entry[self.ATTR_TRUSTED_SID][0] + except KeyError, e: + # Some piece of trusted domain info in LDAP is missing + # Skip the domain, but leave log entry for investigation + api.log.warn("Trusted domain '%s' entry misses an attribute: %s", + dn, e) + continue + trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0] + + # We were able to read all Trusted domain attributes but the secret + # User is not member of trust admins group + if trust_authout is None: + raise errors.ACIError( + info=_('communication with trusted domains is allowed ' + 'for Trusts administrator group members only')) + + result[trust_partner] = (flatname_normalized, + security.dom_sid(trusted_sid), + trust_authout) return result except errors.NotFound, e: return [] |