[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command
Simo Sorce
simo at redhat.com
Wed Jan 23 13:23:15 UTC 2013
On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
> On 01/19/2013 07:35 PM, Simo Sorce wrote:
> > On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
> >> How this works:
> >> 1. When a trusted domain user is tested, AD GC is searched
> >> for the user entry Distinguished Name
> >
> > My head is not clear today but it looks to me you are doing 2 searches.
> > One to go from samAccountName -> DNa dn then a second for DN -> SID.
> >
> > Why are you doing 2 searches ? The first one can return you the
> > ObjectSid already.
> >
> > Simo.
>
> I had to do 2 searches because GC refuses to give me tokenGroups attribute
> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have to do
> the first search to find out the DN of the searched user and then a second
> query to get the tokenGroups (and ObjectSid).
I see, yes that makes sense, would you mind adding a comment to this
effect so we do not try to 'optimize' at some point ?
I have no additional concerns then.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list