[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command

Martin Kosek mkosek at redhat.com
Fri Feb 1 12:35:03 UTC 2013 

On 01/24/2013 03:04 PM, Simo Sorce wrote:
> On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
>> On 01/23/2013 02:23 PM, Simo Sorce wrote:
>>> On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
>>>> On 01/19/2013 07:35 PM, Simo Sorce wrote:
>>>>> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
>>>>>> How this works:
>>>>>>    1. When a trusted domain user is tested, AD GC is searched
>>>>>>       for the user entry Distinguished Name
>>>>>
>>>>> My head is not clear today but it looks to me you are doing 2 searches.
>>>>> One to go from samAccountName -> DNa dn then a second for DN -> SID.
>>>>>
>>>>> Why are you doing 2 searches ? The first one can return you the
>>>>> ObjectSid already.
>>>>>
>>>>> Simo.
>>>>
>>>> I had to do 2 searches because GC refuses to give me tokenGroups attribute
>>>> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have to do
>>>> the first search to find out the DN of the searched user and then a second
>>>> query to get the tokenGroups (and ObjectSid).
>>>
>>> I see, yes that makes sense, would you mind adding a comment to this
>>> effect so we do not try to 'optimize' at some point ?
>>> I have no additional concerns then.
>>>
>>> Simo.
>>>
>>
>> Hello Simo,
>>
>> Thanks for review. Anyway, there is already a relevant comment in dcerpc.py,
>> where the double search is performed:
>>
>> ...
>>     def get_trusted_domain_user_and_groups(self, object_name):
>> ...
>>         entries = self.get_trusted_domain_objects(components.get('domain'),
>>                 components.get('flatname'), filter, attrs, _ldap.SCOPE_SUBTREE)
>>
>>         # Get SIDs of user object and it's groups
>>         # tokenGroups attribute must be read with scope BASE to avoid search error
>>         attrs = ['objectSID', 'tokenGroups']
>> ...
>>
>> I think it's enough to avoid "optimizing" this process - we would find out the
>> "optimization" soon anyway, as the tokenGroups search would return error :-)
> 
> Perfect!
> 
> /me just had an eye vision exam, will complain to his doctor :-)
> 

I enhanced the hbactest to also support user SID, not only trusted domain user
name. Updated set of patches attached.

How it works:

# ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 --host
`hostname` --service sshd
--------------------
Access granted: True
--------------------
  Matched rules: can_login

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-352-2-generalize-ad-gc-search.patch
Type: text/x-patch
Size: 12566 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130201/5b60b2a9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-353-2-do-not-hide-sid-resolver-error-in-group-add-member.patch
Type: text/x-patch
Size: 1378 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130201/5b60b2a9/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-354-2-add-support-for-ad-users-to-hbactest-command.patch
Type: text/x-patch
Size: 9256 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130201/5b60b2a9/attachment-0002.bin>

More information about the Freeipa-devel mailing list