On Thu, 2012-10-18 at 22:00 +0300, Alexander Bokovoy wrote:
> Hi,
> this is work in progress, shared mostly to get comments.
> Simo, Sumit, this is an attempt to resolve external group members from
> trusted domains using their Global Catalog services.
> The code quickly became complex because it needs to do a lot of
> additional activity. A rough sequence is following:
> 1. Match external member against existing trusted domain
> 2. Find trusted domain's domain controller
> 3. Fetch trusted domain account auth info
> 4. Set up ccache in /tmp/krb5cc_TRUSTEDDOMAIN with principal
>     ourdomain$@trusted.domain
> 5. Do LDAP SASL interactive bind using the ccache
> 6. Search for the member's SID
> 7. Decode SID
> 8. Replace an external member name by SID in the group-add-member
>     command
> Right now I'm failing at SASL interactive bind as Global Catalog does
> not accept the credentials in DomainValidator.__resolve_against_gc(),
> perhaps because I'm using LDAP SASL interactive bind wrongly. It is late
> here so I might simply be blind already.
> [Thu Oct 18 21:42:08.924696 2012] [:error] [pid 7831] [client
>] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1',
> 'desc': 'Invalid credentials'}

I do not see anything clearly wrong in the patch, I guess wireshark may
help to understand if there is a difference between your code and
ldapsearch ?


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to