[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command
Martin Kosek
mkosek at redhat.com
Thu Jan 24 07:15:20 UTC 2013
On 01/23/2013 02:23 PM, Simo Sorce wrote:
> On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
>> On 01/19/2013 07:35 PM, Simo Sorce wrote:
>>> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
>>>> How this works:
>>>> 1. When a trusted domain user is tested, AD GC is searched
>>>> for the user entry Distinguished Name
>>>
>>> My head is not clear today but it looks to me you are doing 2 searches.
>>> One to go from samAccountName -> DNa dn then a second for DN -> SID.
>>>
>>> Why are you doing 2 searches ? The first one can return you the
>>> ObjectSid already.
>>>
>>> Simo.
>>
>> I had to do 2 searches because GC refuses to give me tokenGroups attribute
>> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have to do
>> the first search to find out the DN of the searched user and then a second
>> query to get the tokenGroups (and ObjectSid).
>
> I see, yes that makes sense, would you mind adding a comment to this
> effect so we do not try to 'optimize' at some point ?
> I have no additional concerns then.
>
> Simo.
>
Hello Simo,
Thanks for review. Anyway, there is already a relevant comment in dcerpc.py,
where the double search is performed:
...
def get_trusted_domain_user_and_groups(self, object_name):
...
entries = self.get_trusted_domain_objects(components.get('domain'),
components.get('flatname'), filter, attrs, _ldap.SCOPE_SUBTREE)
# Get SIDs of user object and it's groups
# tokenGroups attribute must be read with scope BASE to avoid search error
attrs = ['objectSID', 'tokenGroups']
...
I think it's enough to avoid "optimizing" this process - we would find out the
"optimization" soon anyway, as the tokenGroups search would return error :-)
Martin
More information about the Freeipa-devel
mailing list