Univention Bugzilla – Attachment 9794 Details for
Bug 39345
urlencode ldap base in slapd.conf
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add ldap/base check for some templates
templates.part.patch (text/plain), 8.37 KB, created by
Martin Castillo
on 2019-01-08 15:10 CET
(
hide
)
Description:
Add ldap/base check for some templates
Filename:
MIME Type:
Creator:
Martin Castillo
Created:
2019-01-08 15:10 CET
Size:
8.37 KB
patch
obsolete
>diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database >index 64c8b1a872..4513a531cb 100644 >--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database >+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database >@@ -2,6 +2,17 @@ > modulepath /usr/lib/ldap > moduleload back_@%@ldap/database/type@%@.so > @!@ >+import ldap >+ >+def print_checked_base(confpart): >+ if not ldap.dn.is_dn(configRegistry['ldap/base']): >+ import sys >+ errmsg = '#Error: ucr key âldap/baseâ is not a valid dn!' >+ print >>sys.stderr, errmsg >+ print errmsg >+ print '#', # quote the following template line >+ print confpart >+ > if configRegistry.get('ldap/translogfile'): > print "moduleload\ttranslog.so" > if configRegistry.is_true('ldap/k5pwd', True): >@@ -16,7 +27,7 @@ print 'moduleload\tconstraint.so' > > print '\n' > print 'database\t%(ldap/database/type)s' % configRegistry >-print 'suffix\t\t"%(ldap/base)s"' % configRegistry >+print_checked_base('suffix\t\t"%(ldap/base)s"' % configRegistry) > > print '' > if configRegistry.get('ldap/translogfile'): >@@ -114,11 +125,11 @@ for key in configRegistry.get('ldap/limits', '').split(';'): > > print > if configRegistry['ldap/server/type'] == "master": >- print 'rootdn\t\t"cn=admin,%(ldap/base)s"' % configRegistry >+ print_checked_base('rootdn\t\t"cn=admin,%(ldap/base)s"' % configRegistry) > elif configRegistry['ldap/server/type'] == "slave": >- print 'rootdn\t\t"cn=update,%s"'%configRegistry['ldap/base'] >+ print_checked_base('rootdn\t\t"cn=update,%s"'%configRegistry['ldap/base']) > print 'include\t\t/etc/ldap/rootpw.conf' >- print 'updatedn\t"cn=update,%s"'%configRegistry["ldap/base"] >+ print_checked_base('updatedn\t"cn=update,%s"'%configRegistry["ldap/base"]) > if configRegistry.is_true("ldap/online/master", True): > print 'updateref\tldap://%s:%s'% (configRegistry["ldap/master"], configRegistry.get("ldap/master/port", 7389)) > @!@ >diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master >index 3d7aecd147..17e8441162 100644 >--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master >+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master >@@ -1,5 +1,15 @@ > @!@ > from univention.lib.misc import custom_username, custom_groupname >+import ldap >+ >+def print_checked_base(confpart): >+ if not ldap.dn.is_dn(configRegistry['ldap/base']): >+ import sys >+ errmsg = '#Error: ucr key âldap/baseâ is not a valid dn!' >+ print >>sys.stderr, errmsg >+ print errmsg >+ print '#', # quote the following template line >+ print confpart > > ldap_base = configRegistry['ldap/base'] > ldap_port = configRegistry['slapd/port'] >@@ -10,7 +20,7 @@ users_default_administrator = custom_username('Administrator') > > print 'authz-regexp' > print ' uid=([^,]*),cn=(gssapi|saml),cn=auth' >-print ' ldap:///%s??sub?uid=$1' % (ldap_base,) >+print_checked_base(' ldap:///%s??sub?uid=$1' % (ldap_base,)) > print > > print 'access to attrs=uid value=root by * none stop' >@@ -20,7 +30,7 @@ print ' by anonymous auth' > print ' by * none break' > print '' > >-print 'access to dn="cn=admin,%s"' % (ldap_base) >+print_checked_base('access to dn="cn=admin,%s"' % (ldap_base)) > print ' by self %s' % (usr) > print ' by * none' > print '' >@@ -28,39 +38,39 @@ print '' > print 'access to *' > print ' by sockname="PATH=/var/run/slapd/ldapi" %s' % (usr) > if configRegistry['ldap/server/type'] == "slave": >- print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) >-print ' by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr) >+ print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) >+print_checked_base(' by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr)) > print ' by * none break' > print '' > >-print 'access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base) >-print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) >+print_checked_base('access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base)) >+print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) > if configRegistry['ldap/server/type'] == "slave": >- print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) >+ print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) > print ' by self %s' % (usr) > print ' by * +0 break' > print '' > >-print 'access to dn="uid=join-backup,cn=users,%s"' % (ldap_base) >-print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) >+print_checked_base('access to dn="uid=join-backup,cn=users,%s"' % (ldap_base)) >+print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) > if configRegistry['ldap/server/type'] == "slave": >- print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) >+ print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) > print ' by self %s' % (usr) > print ' by * +0 break' > print '' > >-print 'access to dn="uid=join-slave,cn=users,%s"' % (ldap_base) >-print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) >+print_checked_base('access to dn="uid=join-slave,cn=users,%s"' % (ldap_base)) >+print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) > if configRegistry['ldap/server/type'] == "slave": >- print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) >+ print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) > print ' by self %s' % (usr) > print ' by * +0 break' > print '' > > print 'access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid' >-print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) >+print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) > if configRegistry['ldap/server/type'] == "slave": >- print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) >+ print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) > print ' by * +0 break' > print '' > >diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal >index 9927ab2603..bba9c02e78 100644 >--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal >+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal >@@ -1,9 +1,25 @@ >-access to dn="cn=portal,cn=univention,@%@ldap/base@%@" attrs=children >- by dn.onelevel="cn=dc,cn=computers,@%@ldap/base@%@" write >- by dn.onelevel="cn=memberserver,cn=computers,@%@ldap/base@%@" write >+@!@ >+import ldap >+ >+def print_checked_base(confpart): >+ if not ldap.dn.is_dn(configRegistry['ldap/base']): >+ import sys >+ errmsg = '#Error: ucr key âldap/baseâ is not a valid dn!' >+ print >>sys.stderr, errmsg >+ print errmsg >+ print '#', # quote the following template line >+ print confpart >+ >+print_checked_base( >+''' >+access to dn="cn=portal,cn=univention,%(base)s" attrs=children >+ by dn.onelevel="cn=dc,cn=computers,%(base)s" write >+ by dn.onelevel="cn=memberserver,cn=computers,%(base)s" write > by * +0 break > >-access to dn.children="cn=portal,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal >- by dn.onelevel="cn=dc,cn=computers,@%@ldap/base@%@" write >- by dn.onelevel="cn=memberserver,cn=computers,@%@ldap/base@%@" write >+access to dn.children="cn=portal,cn=univention,%(base)s" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal >+ by dn.onelevel="cn=dc,cn=computers,%(base)s" write >+ by dn.onelevel="cn=memberserver,cn=computers,%(base)s" write > by * +0 break >+''' % {'base': configRegistry['ldap/base']} >+@!@
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9794">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 39345
:
9793
| 9794 |
10063