diff options
author | Martin Basti <mbasti@redhat.com> | 2016-02-22 17:36:01 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-02-23 17:35:20 +0100 |
commit | 70bd7c880259256840f2d4af181fb3e4ca96fcca (patch) | |
tree | bee71eba3be73d52ccc81ee3f41a16c9f5bec556 /ipalib/plugins | |
parent | 9818e463f5d0a91b300801ee7c8f31f25de402b2 (diff) | |
download | freeipa-70bd7c880259256840f2d4af181fb3e4ca96fcca.tar.gz freeipa-70bd7c880259256840f2d4af181fb3e4ca96fcca.tar.xz freeipa-70bd7c880259256840f2d4af181fb3e4ca96fcca.zip |
trusts: use ipaNTTrustPartner attribute to detect trust entries
Trust entries were found by presence of ipaNTSecurityIdentifier
attribute. Unfortunately this attribute might not be there due the bug.
As replacement for this, attribute ipaNTTrustPartner can be used.
Note: other non trust entries located in cn=trusts subtree can be
cross-realm principals.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/trust.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 19d8b53fd..f68b94b9a 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -563,8 +563,11 @@ class trust(LDAPObject): rules=ldap.MATCH_ALL ) + # more type of objects can be located in subtree (for example + # cross-realm principals). we need this attr do detect trust + # entries trustfilter = ldap.combine_filters( - (trustfilter, "ipaNTSecurityIdentifier=*"), + (trustfilter, "ipaNTTrustPartner=*"), rules=ldap.MATCH_ALL ) @@ -1036,7 +1039,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(ipaNTSecurityIdentifier=*)' + trust_filter = '(ipaNTTrustPartner=*)' filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) |