[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command

Martin Kosek mkosek at redhat.com
Wed Feb 13 12:16:51 UTC 2013 

On 02/01/2013 01:35 PM, Martin Kosek wrote:
> On 01/24/2013 03:04 PM, Simo Sorce wrote:
>> On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
>>> On 01/23/2013 02:23 PM, Simo Sorce wrote:
>>>> On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
>>>>> On 01/19/2013 07:35 PM, Simo Sorce wrote:
>>>>>> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
>>>>>>> How this works:
>>>>>>>    1. When a trusted domain user is tested, AD GC is searched
>>>>>>>       for the user entry Distinguished Name
>>>>>>
>>>>>> My head is not clear today but it looks to me you are doing 2 searches.
>>>>>> One to go from samAccountName -> DNa dn then a second for DN -> SID.
>>>>>>
>>>>>> Why are you doing 2 searches ? The first one can return you the
>>>>>> ObjectSid already.
>>>>>>
>>>>>> Simo.
>>>>>
>>>>> I had to do 2 searches because GC refuses to give me tokenGroups attribute
>>>>> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have to do
>>>>> the first search to find out the DN of the searched user and then a second
>>>>> query to get the tokenGroups (and ObjectSid).
>>>>
>>>> I see, yes that makes sense, would you mind adding a comment to this
>>>> effect so we do not try to 'optimize' at some point ?
>>>> I have no additional concerns then.
>>>>
>>>> Simo.
>>>>
>>>
>>> Hello Simo,
>>>
>>> Thanks for review. Anyway, there is already a relevant comment in dcerpc.py,
>>> where the double search is performed:
>>>
>>> ...
>>>     def get_trusted_domain_user_and_groups(self, object_name):
>>> ...
>>>         entries = self.get_trusted_domain_objects(components.get('domain'),
>>>                 components.get('flatname'), filter, attrs, _ldap.SCOPE_SUBTREE)
>>>
>>>         # Get SIDs of user object and it's groups
>>>         # tokenGroups attribute must be read with scope BASE to avoid search error
>>>         attrs = ['objectSID', 'tokenGroups']
>>> ...
>>>
>>> I think it's enough to avoid "optimizing" this process - we would find out the
>>> "optimization" soon anyway, as the tokenGroups search would return error :-)
>>
>> Perfect!
>>
>> /me just had an eye vision exam, will complain to his doctor :-)
>>
> 
> I enhanced the hbactest to also support user SID, not only trusted domain user
> name. Updated set of patches attached.
> 
> How it works:
> 
> # ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 --host
> `hostname` --service sshd
> --------------------
> Access granted: True
> --------------------
>   Matched rules: can_login
> 
> Martin

Attaching a rebased set of patches.

Martin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-352-3-generalize-ad-gc-search.patch
Type: text/x-patch
Size: 12565 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130213/7abe9b5e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-353-3-do-not-hide-sid-resolver-error-in-group-add-member.patch
Type: text/x-patch
Size: 1377 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130213/7abe9b5e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-354-3-add-support-for-ad-users-to-hbactest-command.patch
Type: text/x-patch
Size: 8857 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130213/7abe9b5e/attachment-0002.bin>

More information about the Freeipa-devel mailing list