diff options
| author | Martin Kosek <mkosek@redhat.com> | 2014-04-23 14:32:01 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-04-28 16:18:55 +0200 |
| commit | 5d832c342608fd567ea258c1d506cae28f6b0abf (patch) | |
| tree | 901b3144ff2616c4c9b097fded8cc42ec9b7b314 | |
| parent | 7eb12f1fb51e94ad851721c167461d75366dfeb9 (diff) | |
| download | freeipa-5d832c342608fd567ea258c1d506cae28f6b0abf.tar.gz freeipa-5d832c342608fd567ea258c1d506cae28f6b0abf.tar.xz freeipa-5d832c342608fd567ea258c1d506cae28f6b0abf.zip | |
Make trust objects available to regular users
With global read ACI removed, some of the trust and trustdomain
attributes are not available. Make trust plugin resilient to these
missing attributes and let it return the available information.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
| -rw-r--r-- | ipalib/plugins/trust.py | 30 |
1 files changed, 19 insertions, 11 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index bff44053f..9799e4c41 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -379,7 +379,7 @@ class trust(LDAPObject): ldap = self.backend filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] }, rules=ldap.MATCH_ALL) - filter = ldap.combine_filters((filter, "ipaNTSIDBlacklistIncoming=*"), rules=ldap.MATCH_ALL) + filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL) result = ldap.get_entries(DN(self.container_dn, self.env.basedn), ldap.SCOPE_SUBTREE, filter, ['']) if len(result) > 1: @@ -762,7 +762,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(ipaNTSIDBlacklistIncoming=*)' + trust_filter = '(ipaNTSecurityIdentifier=*)' filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) @@ -772,7 +772,8 @@ class trust_find(LDAPSearch): for attrs in entries: # Translate ipanttrusttype to trusttype if --raw not used - if not options.get('raw', False): + trust_type = attrs.get('ipanttrusttype', [None])[0] + if not options.get('raw', False) and trust_type is not None: attrs['trusttype'] = trust_type_string(attrs['ipanttrusttype'][0]) del attrs['ipanttrusttype'] @@ -791,13 +792,15 @@ class trust_show(LDAPRetrieve): # if --raw not used if not options.get('raw', False): - type_str = trust_type_string(entry_attrs['ipanttrusttype'][0]) - dir_str = trust_direction_string(entry_attrs['ipanttrustdirection'] - [0]) - entry_attrs['trusttype'] = [type_str] - entry_attrs['trustdirection'] = [dir_str] - del entry_attrs['ipanttrusttype'] - del entry_attrs['ipanttrustdirection'] + trust_type = entry_attrs.get('ipanttrusttype', [None])[0] + if trust_type is not None: + entry_attrs['trusttype'] = trust_type_string(trust_type) + del entry_attrs['ipanttrusttype'] + + dir_str = entry_attrs.get('ipanttrustdirection', [None])[0] + if dir_str is not None: + entry_attrs['trustdirection'] = [trust_direction_string(dir_str)] + del entry_attrs['ipanttrustdirection'] return dn @@ -1187,7 +1190,12 @@ class trustdomain_find(LDAPSearch): trust_entry = ldap.get_entry(trust_dn) for entry in entries: sid = entry['ipanttrusteddomainsid'][0] - if sid in trust_entry['ipantsidblacklistincoming']: + + blacklist = trust_entry.get('ipantsidblacklistincoming') + if blacklist is None: + continue + + if sid in blacklist: entry['domain_enabled'] = [False] else: entry['domain_enabled'] = [True] |