From 827ea50566dbb2a0906da76d318a2ba68a4b818e Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 7 Feb 2013 14:52:35 +0100
Subject: ipa-kdb: read SID blacklist from LDAP

SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.

LIMITATION: SID blacklist list is not used yet.

https://fedorahosted.org/freeipa/ticket/3289
---
 util/ipa_mspac.h | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 util/ipa_mspac.h

(limited to 'util/ipa_mspac.h')

diff --git a/util/ipa_mspac.h b/util/ipa_mspac.h
new file mode 100644
index 000000000..152317b18
--- /dev/null
+++ b/util/ipa_mspac.h
@@ -0,0 +1,32 @@
+#ifndef __IPA_MSPAC_H_
+#define __IPA_MSPAC_H_
+
+char *ipa_mspac_well_known_sids[] = {
+    "S-1-0",
+    "S-1-1",
+    "S-1-2",
+    "S-1-3",
+    "S-1-5-1",
+    "S-1-5-2",
+    "S-1-5-3",
+    "S-1-5-4",
+    "S-1-5-5",
+    "S-1-5-6",
+    "S-1-5-7",
+    "S-1-5-8",
+    "S-1-5-9",
+    "S-1-5-10",
+    "S-1-5-11",
+    "S-1-5-12",
+    "S-1-5-13",
+    "S-1-5-14",
+    "S-1-5-15",
+    "S-1-5-16",
+    "S-1-5-17",
+    "S-1-5-18",
+    "S-1-5-19",
+    "S-1-5-20",
+    NULL
+};
+
+#endif /* __IPA_MSPAC_H_ */
-- 
cgit