On 01/23/2013 02:23 PM, Simo Sorce wrote:
> On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
>> On 01/19/2013 07:35 PM, Simo Sorce wrote:
>>> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
>>>> How this works:
>>>>    1. When a trusted domain user is tested, AD GC is searched
>>>>       for the user entry Distinguished Name
>>> My head is not clear today but it looks to me you are doing 2 searches.
>>> One to go from samAccountName -> DNa dn then a second for DN -> SID.
>>> Why are you doing 2 searches ? The first one can return you the
>>> ObjectSid already.
>>> Simo.
>> I had to do 2 searches because GC refuses to give me tokenGroups attribute
>> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have to 
>> do
>> the first search to find out the DN of the searched user and then a second
>> query to get the tokenGroups (and ObjectSid).
> I see, yes that makes sense, would you mind adding a comment to this
> effect so we do not try to 'optimize' at some point ?
> I have no additional concerns then.
> Simo.

Hello Simo,

Thanks for review. Anyway, there is already a relevant comment in dcerpc.py,
where the double search is performed:

    def get_trusted_domain_user_and_groups(self, object_name):
        entries = self.get_trusted_domain_objects(components.get('domain'),
                components.get('flatname'), filter, attrs, _ldap.SCOPE_SUBTREE)

        # Get SIDs of user object and it's groups
        # tokenGroups attribute must be read with scope BASE to avoid search 
        attrs = ['objectSID', 'tokenGroups']

I think it's enough to avoid "optimizing" this process - we would find out the
"optimization" soon anyway, as the tokenGroups search would return error :-)


Freeipa-devel mailing list

Reply via email to