Hi,

with my patches 0109-0110, Tomas patch 0076, and my patch to SSSD to
provide pysss.getgrouplist() API, it is now possible to prefer resolving
SIDs through SSSD before we go and hit AD LDAP. This should help with
both caching and allowing more regular admins to set up mapping of AD
users and test HBAC rules with them.

You would need SSSD git master (758ce3f01b4ed73c3bc35cd7039fac26fdf16386
or later) in order to test this patch. I'm not adding version increase
for SSSD dependency because the change to SSSD is anyway will be in
1.11.

--
/ Alexander Bokovoy
>From 106d51ef0474f71dc8af701986bbcb9c5adf0b63 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 19 Jul 2013 17:04:14 +0300
Subject: [PATCH 4/4] ipaserver/dcerpc: attempt to resolve SIDs through SSSD
 first

Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.

https://fedorahosted.org/freeipa/ticket/3803
---
 ipalib/plugins/hbactest.py |  9 +++------
 ipaserver/dcerpc.py        | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index 9cc497c..fed39b0 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -400,17 +400,14 @@ class hbactest(Command):
                 ldap = self.api.Backend.ldap2
                 group_container = DN(api.env.container_group, api.env.basedn)
                 try:
-                    entries, truncated = ldap.find_entries(filter_sids, ['cn', 
'memberOf'], group_container)
+                    entries, truncated = ldap.find_entries(filter_sids, 
['cn'], group_container)
                 except errors.NotFound:
                     request.user.groups = []
                 else:
                     groups = []
                     for dn, entry in entries:
-                        memberof_dns = entry.get('memberof', [])
-                        for memberof_dn in memberof_dns:
-                            if memberof_dn.endswith(group_container):
-                                # this is a group object
-                                groups.append(memberof_dn[0][0].value)
+                        if dn.endswith(group_container):
+                            groups.append(dn[0][0].value)
                     request.user.groups = sorted(set(groups))
             else:
                 # try searching for a local user
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 88ad928..4660842 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -53,6 +53,8 @@ from ipapython.ipaldap import IPAdmin
 from ipalib.session import krbccache_dir, krbccache_prefix
 from dns import resolver, rdatatype
 from dns.exception import DNSException
+import pysss_nss_idmap
+import pysss
 
 __doc__ = _("""
 Classes to manage trust joins using DCE-RPC calls
@@ -312,6 +314,12 @@ class DomainValidator(object):
         return entries
 
     def get_trusted_domain_object_sid(self, object_name):
+        result = pysss_nss_idmap.getsidbyname(object_name)
+        if object_name in result and (pysss_nss_idmap.SID_KEY in 
result[object_name]):
+            object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
+            return object_sid
+
+        # Else, we are going to contact AD DC LDAP
         components = normalize_name(object_name)
         if not ('domain' in components or 'flatname' in components):
             # No domain or realm specified, ambiguous search
@@ -337,7 +345,7 @@ class DomainValidator(object):
             raise errors.ValidationError(name=_('trusted domain object'),
                error= _('Trusted domain did not return a valid SID for the 
object'))
 
-    def get_trusted_domain_user_and_groups(self, object_name):
+    def __get_trusted_domain_user_and_groups(self, object_name):
         """
         Returns a tuple with user SID and a list of SIDs of all groups he is
         a member of.
@@ -393,6 +401,41 @@ class DomainValidator(object):
         group_sids = [self.__sid_to_str(sid) for sid in 
entries[0][1]['tokenGroups']]
         return (object_sid, group_sids)
 
+    def get_trusted_domain_user_and_groups(self, object_name):
+        """
+        Returns a tuple with user SID and a list of SIDs of all groups he is
+        a member of.
+
+        First attempts to perform SID lookup via SSSD and in case of failure
+        resorts back to checking trusted domain's AD DC LDAP directly.
+
+        LIMITATIONS:
+            - only Trusted Admins group members can use this function as it
+              uses secret for IPA-Trusted domain link if SSSD lookup failed
+            - List of group SIDs does not contain group memberships outside
+              of the trusted domain
+        """
+        group_sids = None
+        group_list = None
+        object_sid = None
+        is_valid_sid = is_sid_valid(object_name)
+        if is_valid_sid:
+            object_sid = object_name
+            result = pysss_nss_idmap.getnamebysid(object_name)
+            if object_name in result and (pysss_nss_idmap.NAME_KEY in 
result[object_name]):
+                group_list = 
pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY])
+        else:
+            result = pysss_nss_idmap.getsidbyname(object_name)
+            if object_name in result and (pysss_nss_idmap.SID_KEY in 
result[object_name]):
+                object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
+                group_list = pysss.getgrouplist(object_name)
+
+        if not group_list:
+            return self.__get_trusted_domain_user_and_groups(object_name)
+
+        group_sids = pysss_nss_idmap.getsidbyname(group_list)
+        return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in 
group_sids.items()])
+
     def __sid_to_str(self, sid):
         """
         Converts binary SID to string representation
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to