From 9c2797d27989428de573d75e643c2cd74065216f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Feb 23 2016 16:57:21 +0000 Subject: trusts: use ipaNTTrustPartner attribute to detect trust entries Trust entries were found by presence of ipaNTSecurityIdentifier attribute. Unfortunately this attribute might not be there due the bug. As replacement for this, attribute ipaNTTrustPartner can be used. Note: other non trust entries located in cn=trusts subtree can be cross-realm principals. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Alexander Bokovoy Reviewed-By: Tomas Babej --- diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 7f925b7..e8b7a4d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -552,8 +552,11 @@ class trust(LDAPObject): rules=ldap.MATCH_ALL ) + # more type of objects can be located in subtree (for example + # cross-realm principals). we need this attr do detect trust + # entries trustfilter = ldap.combine_filters( - (trustfilter, "ipaNTSecurityIdentifier=*"), + (trustfilter, "ipaNTTrustPartner=*"), rules=ldap.MATCH_ALL ) @@ -1025,7 +1028,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(ipaNTSecurityIdentifier=*)' + trust_filter = '(ipaNTTrustPartner=*)' filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 0a55475..61f48e5 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -296,7 +296,7 @@ class update_sids(Updater): attrs_list=["cn"], # more types of trusts can be stored under cn=trusts, we need # the type with ipaNTTrustPartner attribute - filter="(!(%s=*))" % attr_name + filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name ) except errors.NotFound: pass