On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
> On 01/23/2013 02:23 PM, Simo Sorce wrote:
> > On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
> >> On 01/19/2013 07:35 PM, Simo Sorce wrote:
> >>> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
> >>>> How this works:
> >>>> 1. When a trusted domain user is tested, AD GC is searched
> >>>> for the user entry Distinguished Name
> >>>
> >>> My head is not clear today but it looks to me you are doing 2 searches.
> >>> One to go from samAccountName -> DNa dn then a second for DN -> SID.
> >>>
> >>> Why are you doing 2 searches ? The first one can return you the
> >>> ObjectSid already.
> >>>
> >>> Simo.
> >>
> >> I had to do 2 searches because GC refuses to give me tokenGroups attribute
> >> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have
> >> to do
> >> the first search to find out the DN of the searched user and then a second
> >> query to get the tokenGroups (and ObjectSid).
> >
> > I see, yes that makes sense, would you mind adding a comment to this
> > effect so we do not try to 'optimize' at some point ?
> > I have no additional concerns then.
> >
> > Simo.
> >
>
> Hello Simo,
>
> Thanks for review. Anyway, there is already a relevant comment in dcerpc.py,
> where the double search is performed:
>
> ...
> def get_trusted_domain_user_and_groups(self, object_name):
> ...
> entries = self.get_trusted_domain_objects(components.get('domain'),
> components.get('flatname'), filter, attrs,
> _ldap.SCOPE_SUBTREE)
>
> # Get SIDs of user object and it's groups
> # tokenGroups attribute must be read with scope BASE to avoid search
> error
> attrs = ['objectSID', 'tokenGroups']
> ...
>
> I think it's enough to avoid "optimizing" this process - we would find out the
> "optimization" soon anyway, as the tokenGroups search would return error :-)
Perfect!
/me just had an eye vision exam, will complain to his doctor :-)
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
