Univention Bugzilla – Bug 39941
No check for invalid countryName in LDAP base
Last modified: 2016-02-04 13:55:47 CET
The installer hangs if an invalid country code is used in the LDAP base.
For example 'c=world'.
This bug was already discussed in: Bug #36334
It would be so easy If we already have a running LDAP server:
... lo.search_s(dn, ldap.SCOPE_BASE)
... except ldap.INVALID_DN_SYNTAX:
... return False
... except ldap.LDAPError:
... return True
Otherwise we could just restrict C to only 2 letters in the regex and hope that there are no more invalid combinations:
I could not imagine a better solution than adapting the regex. We could also use ldap.dn.explodeDn() which validates even a little bit more (syntax) but doesn't validate this case and also allows more than our current restrictions.
countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is available from:
(In reply to Daniel Tröder from comment #3)
> countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is
> available from:
> map(operator.itemgetter(0), univention.admin.syntax.Country.choices)
Well, openldap allows ZZ as country code in an ldap base. Nevertheless I changed it by checking a static list.
FYI: We should avoid using syntax classes in the regular code as they are part of UDM and probably not meant to be used outside.
r66731 | Bug #39941: Bug #39376: restrict country codes in ldap/base; fix UMC-Webserver restart
OK: manual test:
python -c 'from univention.management.console.modules.setup.util import is_ldap_base; print is_ldap_base("dc=foo,dc=bar"); print is_ldap_base("c=de,dc=foo,dc=bar"); print is_ldap_base("c=dd,dc=foo,dc=bar")'