[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command
Martin Kosek
mkosek at redhat.com
Wed Jan 23 08:10:45 UTC 2013
On 01/19/2013 07:35 PM, Simo Sorce wrote:
> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
>> How this works:
>> 1. When a trusted domain user is tested, AD GC is searched
>> for the user entry Distinguished Name
>
> My head is not clear today but it looks to me you are doing 2 searches.
> One to go from samAccountName -> DNa dn then a second for DN -> SID.
>
> Why are you doing 2 searches ? The first one can return you the
> ObjectSid already.
>
> Simo.
I had to do 2 searches because GC refuses to give me tokenGroups attribute
content when I do not search with exact DN and LDAP SCOPE_BASE. So I have to do
the first search to find out the DN of the searched user and then a second
query to get the tokenGroups (and ObjectSid).
Martin
More information about the Freeipa-devel
mailing list