diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2016-06-07 18:54:36 +0300 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-15 10:02:33 +0200 |
commit | 905db92e61c2e56f8cce723e9c9d28e7968eccc4 (patch) | |
tree | e12c02dcfd3de596c8a9d587a4162779b554c699 /ipaserver | |
parent | 5e5df4abf037161d9c9d9fd5e6051f861dff4bd1 (diff) | |
download | freeipa-905db92e61c2e56f8cce723e9c9d28e7968eccc4.tar.gz freeipa-905db92e61c2e56f8cce723e9c9d28e7968eccc4.tar.xz freeipa-905db92e61c2e56f8cce723e9c9d28e7968eccc4.zip |
adtrust: optimize forest root LDAP filter
`ipa trust-find' command should only show trusted forest root domains
The child domains should be visible via
ipa trustdomain-find forest.root
The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.
Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.
Fixes https://fedorahosted.org/freeipa/ticket/5942
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/plugins/trust.py | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 02d2e0e81..932089b68 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -485,7 +485,7 @@ class trust(LDAPObject): container_dn = api.env.container_trusts object_name = _('trust') object_name_plural = _('trusts') - object_class = ['ipaNTTrustedDomain'] + object_class = ['ipaNTTrustedDomain', 'ipaIDObject'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', @@ -577,7 +577,7 @@ class trust(LDAPObject): if trust_type is None: ldap = self.backend trustfilter = ldap.make_filter({ - 'objectclass': ['ipaNTTrustedDomain'], + 'objectclass': ['ipaNTTrustedDomain', 'ipaIDObject'], 'cn': [keys[-1]]}, rules=ldap.MATCH_ALL ) @@ -1074,9 +1074,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))' - filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) - return (filter, base_dn, ldap.SCOPE_SUBTREE) + return (filters, base_dn, ldap.SCOPE_SUBTREE) def execute(self, *args, **options): result = super(trust_find, self).execute(*args, **options) |