On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote: > On 01/23/2013 02:23 PM, Simo Sorce wrote: > > On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote: > >> On 01/19/2013 07:35 PM, Simo Sorce wrote: > >>> On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote: > >>>> How this works: > >>>> 1. When a trusted domain user is tested, AD GC is searched > >>>> for the user entry Distinguished Name > >>> > >>> My head is not clear today but it looks to me you are doing 2 searches. > >>> One to go from samAccountName -> DNa dn then a second for DN -> SID. > >>> > >>> Why are you doing 2 searches ? The first one can return you the > >>> ObjectSid already. > >>> > >>> Simo. > >> > >> I had to do 2 searches because GC refuses to give me tokenGroups attribute > >> content when I do not search with exact DN and LDAP SCOPE_BASE. So I have > >> to do > >> the first search to find out the DN of the searched user and then a second > >> query to get the tokenGroups (and ObjectSid). > > > > I see, yes that makes sense, would you mind adding a comment to this > > effect so we do not try to 'optimize' at some point ? > > I have no additional concerns then. > > > > Simo. > > > > Hello Simo, > > Thanks for review. Anyway, there is already a relevant comment in dcerpc.py, > where the double search is performed: > > ... > def get_trusted_domain_user_and_groups(self, object_name): > ... > entries = self.get_trusted_domain_objects(components.get('domain'), > components.get('flatname'), filter, attrs, > _ldap.SCOPE_SUBTREE) > > # Get SIDs of user object and it's groups > # tokenGroups attribute must be read with scope BASE to avoid search > error > attrs = ['objectSID', 'tokenGroups'] > ... > > I think it's enough to avoid "optimizing" this process - we would find out the > "optimization" soon anyway, as the tokenGroups search would return error :-)
Perfect! /me just had an eye vision exam, will complain to his doctor :-) -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel