Re: [Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter
On 15.06.2016 09:02, Martin Babinsky wrote: On 06/14/2016 04:45 PM, Alexander Bokovoy wrote: On Tue, 07 Jun 2016, Alexander Bokovoy wrote: Hi, `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 This patch needs review. ACK. Pushed to master: 905db92e61c2e56f8cce723e9c9d28e7968eccc4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter
On 06/14/2016 04:45 PM, Alexander Bokovoy wrote: On Tue, 07 Jun 2016, Alexander Bokovoy wrote: Hi, `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 This patch needs review. ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter
On Tue, 07 Jun 2016, Alexander Bokovoy wrote: Hi, `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 This patch needs review. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter
Hi, `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 -- / Alexander Bokovoy From 672f62bfe736d28ac1cbd4535f3a841ff9abd52e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jun 2016 18:54:36 +0300 Subject: [PATCH 6/6] adtrust: optimize forest root LDAP filter `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 --- ipaserver/plugins/trust.py | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index f9b48f3..0f4f71a 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -485,7 +485,7 @@ class trust(LDAPObject): container_dn = api.env.container_trusts object_name = _('trust') object_name_plural = _('trusts') -object_class = ['ipaNTTrustedDomain'] +object_class = ['ipaNTTrustedDomain', 'ipaIDObject'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', @@ -577,7 +577,7 @@ class trust(LDAPObject): if trust_type is None: ldap = self.backend trustfilter = ldap.make_filter({ -'objectclass': ['ipaNTTrustedDomain'], +'objectclass': ['ipaNTTrustedDomain', 'ipaIDObject'], 'cn': [keys[-1]]}, rules=ldap.MATCH_ALL ) @@ -1074,9 +1074,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains -trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))' -filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) -return (filter, base_dn, ldap.SCOPE_SUBTREE) +return (filters, base_dn, ldap.SCOPE_SUBTREE) def execute(self, *args, **options): result = super(trust_find, self).execute(*args, **options) -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code