Module: check_mk
Branch: master
Commit: ce645d08724a1751c4f44593092021e8568a173e
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ce645d08724a17…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jan 14 15:56:18 2013 +0100
ldap: improved filtering of unwanted ldap_search() responses
---
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 3 ++-
2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 2ebd6a7..06a6832 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,7 @@
* Add: New user_options to limit seen nagios objects even the role is set to see all
* FIX: LDAP: Fixed problem with special chars in LDAP queries when having
contactgroup sync plugin enabled
+ * LDAP: Role sync plugin validates the given group DNs with the group base dn now
1.2.1i4:
Core:
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index dffc276..cecafc7 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -194,6 +194,8 @@ def ldap_search(base, filt = '(objectclass=*)', columns = [], scope = None):
result = []
try:
for dn, obj in ldap_connection.search_s(base, scope, filt, columns):
+ if dn is None:
+ continue # skip unwanted answers
new_obj = {}
for key, val in obj.iteritems():
new_obj[key.lower().decode('utf-8')] = [ i.decode('utf-8') for i in val ]
@@ -282,7 +284,6 @@ def ldap_user_groups(username, attr = 'cn'):
# Apply configured group ldap filter and only reply with groups
# having the current user as member
filt = '(&%s(member=%s))' % (ldap_filter('groups'), ldap.filter.escape_filter_chars(user_dn))
-
# First get all groups
groups = []
for dn, group in ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']),
Module: check_mk
Branch: master
Commit: 9e26de7e394be74fd03c3ab315f773e7b8cd677d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9e26de7e394be7…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jan 14 15:42:28 2013 +0100
LDAP: Role sync plugin validates the given group DNs with the group base dn now
---
web/htdocs/valuespec.py | 6 ++++++
web/plugins/userdb/ldap.py | 5 ++++-
2 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index 030b553..0b985db 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -2144,6 +2144,7 @@ class Transform(ValueSpec):
class LDAPDistinguishedName(TextAscii):
def __init__(self, **kwargs):
TextAscii.__init__(self, **kwargs)
+ self.enforce_suffix = kwargs.get('enforce_suffix')
def validate_value(self, value, varprefix):
TextAscii.validate_value(self, value, varprefix)
@@ -2152,6 +2153,11 @@ class LDAPDistinguishedName(TextAscii):
if value and 'dc=' not in value.lower():
raise MKUserError(varprefix, _('Found no "dc=" (Domain Component).'))
+ # Check wether or not the given DN is below a base DN
+ if self.enforce_suffix and value and not value.lower().endswith(self.enforce_suffix.lower()):
+ raise MKUserError(varprefix, _('Does not ends with "%s".') % self.enforce_suffix)
+
+
class Password(TextAscii):
def __init__(self, **kwargs):
TextAscii.__init__(self, attrencode = True, **kwargs)
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 612ded4..dffc276 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -500,8 +500,11 @@ def ldap_list_roles_with_group_dn():
for role_id, role in load_roles().items():
elements.append((role_id, LDAPDistinguishedName(
title = role['alias'] + ' - ' + _("Specify the Group DN"),
- help = _("Distinguished Name of the LDAP group to add users this role."),
+ help = _("Distinguished Name of the LDAP group to add users this role. This group must "
+ "be defined within the scope of the "
+ "<a href=\"wato.py?mode=edit_configvar&varname=ldap_groupspec\">LDAP Group Settings</a>."),
size = 80,
+ enforce_suffix = ldap_replace_macros(config.ldap_groupspec['dn']),
)))
return elements
Module: check_mk
Branch: master
Commit: 2925b76af056dee608ac1cf6a1c737f181b8faab
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2925b76af056de…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jan 14 16:43:03 2013 +0100
Fixed exception in case of non existing rowselection directory
---
web/htdocs/weblib.py | 13 ++++++++-----
1 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/web/htdocs/weblib.py b/web/htdocs/weblib.py
index b36874a..e2db673 100644
--- a/web/htdocs/weblib.py
+++ b/web/htdocs/weblib.py
@@ -104,11 +104,14 @@ def cleanup_old_selections():
# the current time and delete the selection file when it is older than
# the livetime.
path = config.user_confdir + '/rowselection'
- for f in os.listdir(path):
- if f[1] != '.' and f.endswith('.mk'):
- p = path + '/' + f
- if time.time() - os.stat(p).st_mtime > config.selection_livetime:
- os.unlink(p)
+ try:
+ for f in os.listdir(path):
+ if f[1] != '.' and f.endswith('.mk'):
+ p = path + '/' + f
+ if time.time() - os.stat(p).st_mtime > config.selection_livetime:
+ os.unlink(p)
+ except OSError:
+ pass # no directory -> no cleanup
# Generates a selection id or uses the given one
def selection_id():
Module: check_mk
Branch: master
Commit: f217fed3ef723dcc4d802e2ba81c8e10bbe002b2
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f217fed3ef723d…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jan 14 16:29:31 2013 +0100
LDAP: Improved error handling in case of misconfigurations
---
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 9 +++++++++
2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 06a6832..0239d36 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,7 @@
* FIX: LDAP: Fixed problem with special chars in LDAP queries when having
contactgroup sync plugin enabled
* LDAP: Role sync plugin validates the given group DNs with the group base dn now
+ * LDAP: Improved error handling in case of misconfigurations
1.2.1i4:
Core:
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index cecafc7..0742ee2 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -200,6 +200,12 @@ def ldap_search(base, filt = '(objectclass=*)', columns = [], scope = None):
for key, val in obj.iteritems():
new_obj[key.lower().decode('utf-8')] = [ i.decode('utf-8') for i in val ]
result.append((dn, new_obj))
+ except ldap.NO_SUCH_OBJECT, e:
+ raise MKLDAPException(_('The given base object "%s" does not exist in LDAP (%s))') % (base, e))
+
+ except ldap.FILTER_ERROR, e:
+ raise MKLDAPException(_('The given ldap filter "%s" is invalid (%s)') % (filt, e))
+
except ldap.SIZELIMIT_EXCEEDED:
raise MKLDAPException(_('The response reached a size limit. This could be due to '
'a sizelimit configuration on the LDAP server.<br />Throwing away the '
@@ -271,6 +277,9 @@ def ldap_get_users(add_filter = None):
result = {}
for dn, ldap_user in ldap_search(ldap_replace_macros(config.ldap_userspec['dn']),
filt, columns = columns):
+ if ldap_user_id_attr() not in ldap_user:
+ raise MKLDAPException(_('The configured User-ID attribute "%s" does not '
+ 'exist for the user "%s"') % (ldap_user_id_attr(), dn))
user_id = ldap_user[ldap_user_id_attr()][0]
result[user_id] = ldap_user
Module: check_mk
Branch: master
Commit: deb303f30c6d1d302d2efa15498612165c617036
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=deb303f30c6d1d…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jan 14 15:29:25 2013 +0100
LDAP: Fixed problem with special chars in LDAP queries when having contactgroup sync plugin enabled
---
ChangeLog | 2 ++
web/plugins/userdb/ldap.py | 2 +-
2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 7d8a0c5..2ebd6a7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,8 @@
* Storing row selections in user files, cleaned up row selection
handling to single files. Cleaned up GET/POST mixups in confirm dialogs
* Add: New user_options to limit seen nagios objects even the role is set to see all
+ * FIX: LDAP: Fixed problem with special chars in LDAP queries when having
+ contactgroup sync plugin enabled
1.2.1i4:
Core:
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 3c99af3..612ded4 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -281,7 +281,7 @@ def ldap_user_groups(username, attr = 'cn'):
# Apply configured group ldap filter and only reply with groups
# having the current user as member
- filt = '(&%s(member=%s))' % (ldap_filter('groups'), user_dn)
+ filt = '(&%s(member=%s))' % (ldap_filter('groups'), ldap.filter.escape_filter_chars(user_dn))
# First get all groups
groups = []
Module: check_mk
Branch: master
Commit: c08aef3b4eaec08e1ddcb5a09ba6ae95bd960a7b
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c08aef3b4eaec0…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Mon Jan 14 10:15:27 2013 +0100
should_show_command_form returns false if nothing found
---
web/htdocs/views.py | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/web/htdocs/views.py b/web/htdocs/views.py
index c4b7774..5151c4d 100644
--- a/web/htdocs/views.py
+++ b/web/htdocs/views.py
@@ -2038,6 +2038,8 @@ def should_show_command_form(display_options, datasource):
if what in command["tables"] and config.may(command["permission"]):
return True
+ return False
+
def show_command_form(is_open, datasource):
# What commands are available depends on the Livestatus table we
# deal with. If a data source provides information about more