Module: check_mk
Branch: master
Commit: 9e26de7e394be74fd03c3ab315f773e7b8cd677d
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9e26de7e394be7…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jan 14 15:42:28 2013 +0100
LDAP: Role sync plugin validates the given group DNs with the group base dn now
---
web/htdocs/valuespec.py | 6 ++++++
web/plugins/userdb/ldap.py | 5 ++++-
2 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index 030b553..0b985db 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -2144,6 +2144,7 @@ class Transform(ValueSpec):
class LDAPDistinguishedName(TextAscii):
def __init__(self, **kwargs):
TextAscii.__init__(self, **kwargs)
+ self.enforce_suffix = kwargs.get('enforce_suffix')
def validate_value(self, value, varprefix):
TextAscii.validate_value(self, value, varprefix)
@@ -2152,6 +2153,11 @@ class LDAPDistinguishedName(TextAscii):
if value and 'dc=' not in value.lower():
raise MKUserError(varprefix, _('Found no "dc=" (Domain
Component).'))
+ # Check wether or not the given DN is below a base DN
+ if self.enforce_suffix and value and not
value.lower().endswith(self.enforce_suffix.lower()):
+ raise MKUserError(varprefix, _('Does not ends with "%s".')
% self.enforce_suffix)
+
+
class Password(TextAscii):
def __init__(self, **kwargs):
TextAscii.__init__(self, attrencode = True, **kwargs)
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 612ded4..dffc276 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -500,8 +500,11 @@ def ldap_list_roles_with_group_dn():
for role_id, role in load_roles().items():
elements.append((role_id, LDAPDistinguishedName(
title = role['alias'] + ' - ' + _("Specify the Group
DN"),
- help = _("Distinguished Name of the LDAP group to add users this
role."),
+ help = _("Distinguished Name of the LDAP group to add users this role.
This group must "
+ "be defined within the scope of the "
+ "<a
href=\"wato.py?mode=edit_configvar&varname=ldap_groupspec\">LDAP Group
Settings</a>."),
size = 80,
+ enforce_suffix = ldap_replace_macros(config.ldap_groupspec['dn']),
)))
return elements