diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2016-06-06 11:41:46 +0300 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-06-11 17:25:50 +0200 |
| commit | bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8 (patch) | |
| tree | 108fedb3d09df8b2030e66702d3d3c2b4aaf701f /ACI.txt | |
| parent | b506fd178edbf1553ca581c44ac6697f88ead125 (diff) | |
| download | freeipa-bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8.tar.gz freeipa-bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8.tar.xz freeipa-bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8.zip | |
adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.
FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.
In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx
https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ACI.txt')
| -rw-r--r-- | ACI.txt | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -309,7 +309,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=trusts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=groups,cn=accounts,dc=ipa,dc=example |