From bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:41:46 +0300 Subject: adtrust: support UPNs for trusted domain users Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 Reviewed-By: Martin Babinsky --- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'daemons/ipa-slapi-plugins') diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 84b1b9af4..e629247fd 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -1023,8 +1023,13 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, char *buf = NULL; struct sss_nss_kv *kv_list = NULL; - ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, - domain_name); + if (strchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) { + ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, + domain_name); + } else { + /* SSSD_DOMAIN_SEPARATOR already present, assume UPN */ + ret = asprintf(&fq_name, "%s", name); + } if (ret == -1) { ret = LDAP_OPERATIONS_ERROR; set_err_msg(req, "Failed to create fully qualified name"); -- cgit