Univention Bugzilla – Attachment 8372 Details for
Bug 32086
LDAP Filter / DN's aren't escaped in S4 Connector
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to fix LDAP filters in mapping.py
0001-Bug-32086-s4-connector-escape-ignore_filters-in-mapp.patch (text/plain), 9.10 KB, created by
Lukas Oyen
on 2017-01-24 15:42:00 CET
(
hide
)
Description:
Patch to fix LDAP filters in mapping.py
Filename:
MIME Type:
Creator:
Lukas Oyen
Created:
2017-01-24 15:42:00 CET
Size:
9.10 KB
patch
obsolete
>From 273787f2cf48fab8e01b466853b36ce9937ad515 Mon Sep 17 00:00:00 2001 >From: Lukas Oyen <oyen@univention.de> >Date: Tue, 24 Jan 2017 12:55:54 +0100 >Subject: [PATCH] Bug #32086: s4-connector: escape ignore_filters in mapping.py > >--- > .../etc/univention/s4connector/s4/mapping.py | 72 +++++++++------------- > .../modules/univention/s4connector/s4/mapping.py | 37 +++++++++++ > 2 files changed, 66 insertions(+), 43 deletions(-) > >diff --git a/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py b/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py >index ff74ffd..8932cfb 100644 >--- a/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py >+++ b/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py >@@ -40,6 +40,7 @@ import univention.s4connector.s4.dc > import univention.s4connector.s4.computer > > @!@ >+ > global_ignore_subtree=['cn=univention,@%@ldap/base@%@','cn=policies,@%@ldap/base@%@', > 'cn=shares,@%@ldap/base@%@','cn=printers,@%@ldap/base@%@', > 'cn=networks,@%@ldap/base@%@', 'cn=kerberos,@%@ldap/base@%@', >@@ -102,12 +103,10 @@ else: > con_search_filter='(&(objectClass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=512))', > match_filter='(&(|(&(objectClass=posixAccount)(objectClass=krb5Principal))(objectClass=user))(!(objectClass=univentionHost)))', > @!@ >-ignore_filter = '' >-for user in configRegistry.get('connector/s4/mapping/user/ignorelist', '').split(','): >- if user: >- ignore_filter += '(uid=%s)(CN=%s)' % (user, user) >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_tmpl >+ignore_filter = ignore_filter_parts_from_tmpl('(uid={0!e})(CN={0!e})', 'connector/s4/mapping/user/ignorelist') > if ignore_filter: >- print " ignore_filter='(|%s)'," % ignore_filter >+ print " ignore_filter='%s'," % ignore_filter > @!@ > ignore_subtree = global_ignore_subtree, > >@@ -313,13 +312,12 @@ else: > scope='sub', > > @!@ >-ignore_filter = '' >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr >+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/group/ignorelist') > if configRegistry.is_false('connector/s4/mapping/group/grouptype', False): >- ignore_filter += '(sambaGroupType=5)(groupType=5)' >-for group in configRegistry.get('connector/s4/mapping/group/ignorelist', '').split(','): >- if group: >- ignore_filter += '(cn=%s)' % (group) >-print " ignore_filter='(|%s)'," % ignore_filter >+ ignore_filter = '(|{}{})'.format('(sambaGroupType=5)(groupType=5)', ignore_filter) >+if ignore_filter: >+ print " ignore_filter='%s'," % ignore_filter > @!@ > > ignore_subtree = global_ignore_subtree, >@@ -431,12 +429,10 @@ if group_map: > # and this subobject would avoid a deletion of this DC in S4 > con_subtree_delete_objects = [ 'cn=rid set' ], > @!@ >-ignore_filter = '' >-for dc in configRegistry.get('connector/s4/mapping/dc/ignorelist', '').split(','): >- if dc: >- ignore_filter += '(cn=%s)' % (dc) >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr >+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/dc/ignorelist') > if ignore_filter: >- print " ignore_filter='(|%s)'," % ignore_filter >+ print " ignore_filter='%s'," % ignore_filter > @!@ > > @!@ >@@ -533,12 +529,10 @@ else: > > ignore_subtree = global_ignore_subtree, > @!@ >-ignore_filter = '' >-for computer in configRegistry.get('connector/s4/mapping/windowscomputer/ignorelist', '').split(','): >- if computer: >- ignore_filter += '(cn=%s)' % (computer) >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr >+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/windowscomputer/ignorelist') > if ignore_filter: >- print " ignore_filter='(|%s)'," % ignore_filter >+ print " ignore_filter='%s'," % ignore_filter > @!@ > > con_create_objectclass=['top', 'computer' ], >@@ -653,12 +647,10 @@ if ignore_filter: > > print dns_section > >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr > > if configRegistry.is_true('connector/s4/mapping/gpo', True): >- ignore_filter = '' >- for gpo in configRegistry.get('connector/s4/mapping/gpo/ignorelist', '').split(','): >- if gpo: >- ignore_filter += '(cn=%s)' % (gpo) >+ ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/gpo/ignorelist') > if configRegistry.get('connector/s4/mapping/ou/syncmode'): > sync_mode_ou=configRegistry.get('connector/s4/mapping/ou/syncmode') > else: >@@ -772,11 +764,10 @@ if configRegistry.is_true('connector/s4/mapping/gpo', True): > ''' > print section > >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr >+ > if configRegistry.is_true('connector/s4/mapping/wmifilter', False): >- ignore_filter = '' >- for wmifilter in configRegistry.get('connector/s4/mapping/wmifilter/ignorelist', '').split(','): >- if wmifilter: >- ignore_filter += '(cn=%s)' % (wmifilter) >+ ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/wmifilter/ignorelist') > if configRegistry.get('connector/s4/mapping/ou/syncmode'): > sync_mode_ou=configRegistry.get('connector/s4/mapping/ou/syncmode') > else: >@@ -901,11 +892,10 @@ if configRegistry.is_true('connector/s4/mapping/wmifilter', False): > ), > ''' % {'ignore_filter': ignore_filter, 'sync_mode_ou': sync_mode_ou} > >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr >+ > if configRegistry.is_true('connector/s4/mapping/msprintconnectionpolicy', False): >- ignore_filter = '' >- for cfilter in configRegistry.get('connector/s4/mapping/msprintconnectionpolicy/ignorelist', '').split(','): >- if cfilter: >- ignore_filter += '(cn=%s)' % (cfilter) >+ ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/msprintconnectionpolicy/ignorelist') > if configRegistry.get('connector/s4/mapping/ou/syncmode'): > sync_mode_ou=configRegistry.get('connector/s4/mapping/ou/syncmode') > else: >@@ -984,12 +974,10 @@ else: > con_search_filter='(&(|(objectClass=container)(objectClass=builtinDomain))(!(objectClass=groupPolicyContainer)))', # builtinDomain is cn=builtin (with group cn=Administrators) > > @!@ >-ignore_filter = '' >-for cn in configRegistry.get('connector/s4/mapping/container/ignorelist', 'mail,kerberos,MicrosoftDNS').split(','): >- if cn: >- ignore_filter += '(cn=%s)' % (cn) >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr >+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/container/ignorelist', 'mail,kerberos,MicrosoftDNS') > if ignore_filter: >- print " ignore_filter='(|%s)'," % ignore_filter >+ print " ignore_filter='%s'," % ignore_filter > @!@ > > ignore_subtree = global_ignore_subtree, >@@ -1041,12 +1029,10 @@ else: > con_search_filter='objectClass=organizationalUnit', > > @!@ >-ignore_filter = '' >-for ou in configRegistry.get('connector/s4/mapping/ou/ignorelist', '').split(','): >- if ou: >- ignore_filter += '(ou=%s)' % (ou) >+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr >+ignore_filter = ignore_filter_parts_from_attr('ou', 'connector/s4/mapping/ou/ignorelist') > if ignore_filter: >- print " ignore_filter='(|%s)'," % ignore_filter >+ print " ignore_filter='%s'," % ignore_filter > @!@ > > ignore_subtree = global_ignore_subtree, >diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py b/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py >index 437db91..307a101 100644 >--- a/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py >+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py >@@ -36,10 +36,47 @@ import univention.config_registry as ucr > import univention.debug2 as ud > import univention.s4connector.s4 > >+from univention.s4connector.s4 import format_escaped >+ > configRegistry = ucr.ConfigRegistry() > configRegistry.load() > > >+def ignore_filter_parts_from_tmpl(template, ucr_key, default=''): >+ """ >+ Construct an `ignore_filter` from a `ucr_key` >+ (`connector/s4/mapping/*/ignorelist`, a comma delimited list of values), as >+ specified by `template` while correctly escaping the filter-expression. >+ >+ `template` must be formatted as required by `format_escaped`. >+ >+ >>> ignore_filter_parts_from_tmpl('(cn={0!e})', >+ ... 'connector/s4/mapping/nonexistend/ignorelist', >+ ... 'one,two,three') >+ '(|(cn=one)(cn=two)(cn=three))' >+ """ >+ variables = [v for v in configRegistry.get(ucr_key, default).split(',') if v] >+ filter_parts = [format_escaped(template, v) for v in variables] >+ if filter_parts: >+ return '(|{})'.format(''.join(filter_parts)) >+ return '' >+ >+ >+def ignore_filter_parts_from_attr(attribute, ucr_key, default=''): >+ """ >+ Convenience-wrapper arround `ignore_filter_from_tmpl()`. >+ >+ This expects a single `attribute` instead of a `template` argument. >+ >+ >>> ignore_filter_parts_from_attr('cn', >+ ... 'connector/s4/mapping/nonexistend/ignorelist', >+ ... 'one,two,three') >+ '(|(cn=one)(cn=two)(cn=three))' >+ """ >+ template = '({}={{0!e}})'.format(attribute) >+ return ignore_filter_parts_from_tmpl(template, ucr_key, default) >+ >+ > def ucs2s4_sid(s4connector, key, object): > _d = ud.function('mapping.ucs2s4_sid -- not implemented') > >-- >2.7.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8372">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 32086
:
8259
|
8271
|
8372
|
8401