diff options
Diffstat (limited to 'ipaserver/dcerpc.py')
-rw-r--r-- | ipaserver/dcerpc.py | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 56d8b031..6243ebbb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -275,6 +275,62 @@ class DomainValidator(object): raise errors.ValidationError(name=_('trusted domain object'), error= _('Trusted domain did not return a valid SID for the object')) + def get_trusted_domain_user_and_groups(self, object_name): + """ + Returns a tuple with user SID and a list of SIDs of all groups he is + a member of. + + LIMITATIONS: + - only Trusted Admins group members can use this function as it + uses secret for IPA-Trusted domain link + - List of group SIDs does not contain group memberships outside + of the trusted domain + """ + components = normalize_name(object_name) + domain = components.get('domain') + flatname = components.get('flatname') + name = components.get('name') + + is_valid_sid = is_sid_valid(object_name) + if is_valid_sid: + # Find a trusted domain for the SID + domain = self.get_domain_by_sid(object_name) + # Now search a trusted domain for a user with this SID + attrs = ['cn'] + filter = '(&(objectClass=user)(objectSid=%(sid)s))' \ + % dict(sid=object_name) + try: + entries = self.get_trusted_domain_objects(domain=domain, filter=filter, + attrs=attrs, scope=_ldap.SCOPE_SUBTREE) + except errors.NotFound: + raise errors.NotFound(reason=_('trusted domain user not found')) + user_dn = entries[0][0] + elif domain or flatname: + attrs = ['cn'] + filter = '(&(sAMAccountName=%(name)s)(objectClass=user))' \ + % dict(name=name) + try: + entries = self.get_trusted_domain_objects(domain, + flatname, filter, attrs, _ldap.SCOPE_SUBTREE) + except errors.NotFound: + raise errors.NotFound(reason=_('trusted domain user not found')) + user_dn = entries[0][0] + else: + # No domain or realm specified, ambiguous search + raise errors.ValidationError(name=_('trusted domain object'), + error= _('Ambiguous search, user domain was not specified')) + + # Get SIDs of user object and it's groups + # tokenGroups attribute must be read with a scope BASE for a known user + # distinguished name to avoid search error + attrs = ['objectSID', 'tokenGroups'] + filter = "(objectClass=user)" + entries = self.get_trusted_domain_objects(domain, + flatname, filter, attrs, _ldap.SCOPE_BASE, user_dn) + object_sid = self.__sid_to_str(entries[0][1]['objectSid'][0]) + group_sids = [self.__sid_to_str(sid) for sid in entries[0][1]['tokenGroups']] + return (object_sid, group_sids) + def __sid_to_str(self, sid): """ Converts binary SID to string representation |