From fb11384e65d74b6a027bf8cfe9f93e003bba5236 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Mar 16 2016 12:50:56 +0000
Subject: Fix broken trust warnings


Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all.

https://fedorahosted.org/freeipa/ticket/5737

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 3b4376f..d6b3e11 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -581,7 +581,9 @@ class trust(LDAPObject):
 
         try:
             entries, truncated = ldap.find_entries(
-                base_dn=DN(self.container_dn, self.api.env.basedn),
+                base_dn=DN(self.api.env.container_adtrusts,
+                           self.api.env.basedn),
+                scope=ldap.SCOPE_ONELEVEL,
                 attrs_list=['cn'],
                 filter='(&(ipaNTTrustPartner=*)'
                        '(!(ipaNTSecurityIdentifier=*)))',