Univention Bugzilla – Bug 39941
No check for invalid countryName in LDAP base
Last modified: 2016-02-04 13:55:47 CET
The installer hangs if an invalid country code is used in the LDAP base. For example 'c=world'. This bug was already discussed in: Bug #36334
It would be so easy If we already have a running LDAP server: >>> try: ... lo.search_s(dn, ldap.SCOPE_BASE) ... except ldap.INVALID_DN_SYNTAX: ... return False ... except ldap.LDAPError: ... pass ... return True Otherwise we could just restrict C to only 2 letters in the regex and hope that there are no more invalid combinations: re.compile('^(c=[A-Za-z]{2}|(dc|cn|o|l)=[a-zA-Z0-9-]+)(,(c=[A-Za-z]{2}|((dc|cn|o|l)=[a-zA-Z0-9-]+)))+$')
I could not imagine a better solution than adapting the regex. We could also use ldap.dn.explodeDn() which validates even a little bit more (syntax) but doesn't validate this case and also allows more than our current restrictions. As I think it doesn't happen often I did not touch the javascript validation nor adapted help texts.
countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is available from: map(operator.itemgetter(0), univention.admin.syntax.Country.choices)
(In reply to Daniel Tröder from comment #3) > countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is > available from: > > map(operator.itemgetter(0), univention.admin.syntax.Country.choices) Well, openldap allows ZZ as country code in an ldap base. Nevertheless I changed it by checking a static list. FYI: We should avoid using syntax classes in the regular code as they are part of UDM and probably not meant to be used outside. univention-system-setup (9.0.2-25): r66731 | Bug #39941: Bug #39376: restrict country codes in ldap/base; fix UMC-Webserver restart
OK: code OK: advisory OK: manual test: python -c 'from univention.management.console.modules.setup.util import is_ldap_base; print is_ldap_base("dc=foo,dc=bar"); print is_ldap_base("c=de,dc=foo,dc=bar"); print is_ldap_base("c=dd,dc=foo,dc=bar")' True True False
<http://errata.software-univention.de/ucs/4.1/97.html>