Check_MK Git: check_mk: LDAP: Role sync plugin validates the given group DNs with the group base dn now - Checkmk git commits

14 Jan 2013

Module: check_mk
Branch: master
Commit: 9e26de7e394be74fd03c3ab315f773e7b8cd677d
URL:   
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9e26de7e394be7…

Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt;
Date:   Mon Jan 14 15:42:28 2013 +0100

LDAP: Role sync plugin validates the given group DNs with the group base dn now

---

 web/htdocs/valuespec.py    |    6 ++++++
 web/plugins/userdb/ldap.py |    5 ++++-
 2 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index 030b553..0b985db 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -2144,6 +2144,7 @@ class Transform(ValueSpec):
 class LDAPDistinguishedName(TextAscii):
     def __init__(self, **kwargs):
         TextAscii.__init__(self, **kwargs)
+        self.enforce_suffix = kwargs.get('enforce_suffix')
 
     def validate_value(self, value, varprefix):
         TextAscii.validate_value(self, value, varprefix)
@@ -2152,6 +2153,11 @@ class LDAPDistinguishedName(TextAscii):
         if value and 'dc=' not in value.lower():
             raise MKUserError(varprefix, _('Found no "dc=" (Domain
Component).'))
 
+        # Check wether or not the given DN is below a base DN
+        if self.enforce_suffix and value and not
value.lower().endswith(self.enforce_suffix.lower()):
+            raise MKUserError(varprefix, _('Does not ends with "%s".')
% self.enforce_suffix)
+
+
 class Password(TextAscii):
     def __init__(self, **kwargs):
         TextAscii.__init__(self, attrencode = True, **kwargs)
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 612ded4..dffc276 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -500,8 +500,11 @@ def ldap_list_roles_with_group_dn():
     for role_id, role in load_roles().items():
         elements.append((role_id, LDAPDistinguishedName(
             title = role['alias'] + ' - ' + _("Specify the Group
DN"),
-            help  = _("Distinguished Name of the LDAP group to add users this
role."),
+            help  = _("Distinguished Name of the LDAP group to add users this role.
This group must "
+                      "be defined within the scope of the "
+                      "<a
href=\"wato.py?mode=edit_configvar&varname=ldap_groupspec\">LDAP Group
Settings</a>."),
             size  = 80,
+            enforce_suffix = ldap_replace_macros(config.ldap_groupspec['dn']),
         )))
     return elements
 


    