On 01/23/2013 02:23 PM, Simo Sorce wrote:
> On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
>> On 01/19/2013 07:35 PM, Simo Sorce wrote:
>>> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
>>>> How this works:
>>>> 1. When a trusted domain user is tested, AD GC is searched
>>>> for the user entry Distinguished Name
>>> My head is not clear today but it looks to me you are doing 2 searches.
>>> One to go from samAccountName -> DNa dn then a second for DN -> SID.
>>> Why are you doing 2 searches ? The first one can return you the
>>> ObjectSid already.
>> I had to do 2 searches because GC refuses to give me tokenGroups attribute
>> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have to
>> the first search to find out the DN of the searched user and then a second
>> query to get the tokenGroups (and ObjectSid).
> I see, yes that makes sense, would you mind adding a comment to this
> effect so we do not try to 'optimize' at some point ?
> I have no additional concerns then.
Thanks for review. Anyway, there is already a relevant comment in dcerpc.py,
where the double search is performed:
def get_trusted_domain_user_and_groups(self, object_name):
entries = self.get_trusted_domain_objects(components.get('domain'),
components.get('flatname'), filter, attrs, _ldap.SCOPE_SUBTREE)
# Get SIDs of user object and it's groups
# tokenGroups attribute must be read with scope BASE to avoid search
attrs = ['objectSID', 'tokenGroups']
I think it's enough to avoid "optimizing" this process - we would find out the
"optimization" soon anyway, as the tokenGroups search would return error :-)
Freeipa-devel mailing list