[Freeipa-devel] Search global catalog for trusted domain SIDs
Simo Sorce
simo at redhat.com
Thu Oct 18 19:15:43 UTC 2012
On Thu, 2012-10-18 at 22:00 +0300, Alexander Bokovoy wrote:
> Hi,
>
> this is work in progress, shared mostly to get comments.
>
> Simo, Sumit, this is an attempt to resolve external group members from
> trusted domains using their Global Catalog services.
>
> The code quickly became complex because it needs to do a lot of
> additional activity. A rough sequence is following:
> 1. Match external member against existing trusted domain
> 2. Find trusted domain's domain controller
> 3. Fetch trusted domain account auth info
> 4. Set up ccache in /tmp/krb5cc_TRUSTEDDOMAIN with principal
> ourdomain$@trusted.domain
> 5. Do LDAP SASL interactive bind using the ccache
> 6. Search for the member's SID
> 7. Decode SID
> 8. Replace an external member name by SID in the group-add-member
> command
>
> Right now I'm failing at SASL interactive bind as Global Catalog does
> not accept the credentials in DomainValidator.__resolve_against_gc(),
> perhaps because I'm using LDAP SASL interactive bind wrongly. It is late
> here so I might simply be blind already.
>
> [Thu Oct 18 21:42:08.924696 2012] [:error] [pid 7831] [client
> 192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1',
> 'desc': 'Invalid credentials'}
I do not see anything clearly wrong in the patch, I guess wireshark may
help to understand if there is a difference between your code and
ldapsearch ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list