shanks / freeipa

Forked from freeipa 5 years ago
Clone
Source Code
GIT

0946e6f Add support for AD users to hbactest command

Authored and Committed by mkosek 11 years ago
raw patch tree parent
2 files changed. 187 lines added. 10 lines removed.
ipalib/plugins/hbactest.py
file modified
+131 -10
ipaserver/dcerpc.py
file modified
+56 -0 
    Add support for AD users to hbactest command
    
    How this works:
      1. When a trusted domain user is tested, AD GC is searched
         for the user entry Distinguished Name
      2. The user entry is then read from AD GC and its SID and SIDs
         of all its assigned groups (tokenGroups attribute) are retrieved
      3. The SIDs are then used to search IPA LDAP database to find
         all external groups which have any of these SIDs as external
         members
      4. All these groups having these groups as direct or indirect
         members are added to hbactest allowing it to perform the search
    
    LIMITATIONS:
    - only Trusted Admins group members can use this function as it
      uses secret for IPA-Trusted domain link
    - List of group SIDs does not contain group memberships outside
      of the trusted domain
    
    https://fedorahosted.org/freeipa/ticket/2997
file modified
+131 -10
file modified
+56 -0
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.