Skip to content

Improve error detail when saving an incorrect LDAP config #50475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AndyScherzinger merged 5 commits into from
Feb 25, 2025
Merged

Improve error detail when saving an incorrect LDAP config #50475

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7629d4d
feat(user_ldap): Improve error detail when saving an incorrect config…
come-nc Jan 27, 2025
0d35a3d
fix(user_ldap): Add missing use in ajax endpoint and fix L10N injection
come-nc Jan 28, 2025
36d756a
fix(user_ldap): Check that all user and group bases are in the global…
come-nc Jan 28, 2025
1b81838
chore: style fix for named parameter
come-nc Feb 24, 2025
48d69c7
fix(lint): correct comment identation
AndyScherzinger Feb 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(user_ldap): Check that all user and group bases are in the global… 
… one

Signed-off-by: Côme Chilliet <[email protected]>
  • Loading branch information
@come-nc @AndyScherzinger
come-nc authored and AndyScherzinger committed Feb 25, 2025
commit 36d756ab0f3cf8a6037b050015073245719fcccc
13 changes: 6 additions & 7 deletions apps/user_ldap/ajax/testConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,19 +23,18 @@


try {
$configurationOk = true;
$configurationError = '';
$conf = $connection->getConfiguration();
if ($conf['ldap_configuration_active'] === '0') {
//needs to be true, otherwise it will also fail with an irritating message
$conf['ldap_configuration_active'] = '1';
try {
$configurationOk = $connection->setConfiguration($conf, throw:true);
} catch (ConfigurationIssueException $e) {
$configurationError = $e->getHint();
}
}
if ($configurationOk) {
try {
$connection->setConfiguration($conf, throw:true);
} catch (ConfigurationIssueException $e) {
$configurationError = $e->getHint();
}
if ($configurationError === '') {
//Configuration is okay
/*
* Closing the session since it won't be used from this point on. There might be a potential
Expand Down
44 changes: 35 additions & 9 deletions apps/user_ldap/lib/Connection.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,8 +456,6 @@ private function doSoftValidation(): void {
* @throws ConfigurationIssueException
*/
private function doCriticalValidation(): void {
$configurationOK = true;

//options that shall not be empty
$options = ['ldapHost', 'ldapUserDisplayName',
'ldapGroupDisplayName', 'ldapLoginFilter'];
Expand Down Expand Up @@ -490,7 +488,6 @@ private function doCriticalValidation(): void {
$subj = $key;
break;
}
$configurationOK = false;
throw new ConfigurationIssueException(
'No ' . $subj . ' given!',
$this->l10n->t('Mandatory field "%s" left empty', $subj),
Expand All @@ -502,14 +499,12 @@ private function doCriticalValidation(): void {
$agent = $this->configuration->ldapAgentName;
$pwd = $this->configuration->ldapAgentPassword;
if ($agent === '' && $pwd !== '') {
$configurationOK = false;
throw new ConfigurationIssueException(
'A password is given, but not an LDAP agent',
$this->l10n->t('A password is given, but not an LDAP agent'),
);
}
if ($agent !== '' && $pwd === '') {
$configurationOK = false;
throw new ConfigurationIssueException(
'No password is given for the user agent',
$this->l10n->t('No password is given for the user agent'),
Expand All @@ -520,23 +515,54 @@ private function doCriticalValidation(): void {
$baseUsers = $this->configuration->ldapBaseUsers;
$baseGroups = $this->configuration->ldapBaseGroups;

if (empty($base) && empty($baseUsers) && empty($baseGroups)) {
$configurationOK = false;
if (empty($base)) {
throw new ConfigurationIssueException(
'Not a single Base DN given.',
'Not a single Base DN given',
$this->l10n->t('No LDAP base DN was given'),
);
}

if (!empty($baseUsers) && !$this->checkBasesAreValid($baseUsers, $base)) {
throw new ConfigurationIssueException(
'User base is not in root base',
$this->l10n->t('User base DN is not a subnode of global base DN'),
);
}

if (!empty($baseGroups) && !$this->checkBasesAreValid($baseGroups, $base)) {
throw new ConfigurationIssueException(
'Group base is not in root base',
$this->l10n->t('Group base DN is not a subnode of global base DN'),
);
}

if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) {
$configurationOK = false;
throw new ConfigurationIssueException(
'Login filter does not contain %uid place holder.',
$this->l10n->t('Login filter does not contain %uid place holder'),
);
}
}

/**
* Checks that all bases are subnodes of one of the root bases
*/
private function checkBasesAreValid(array $bases, array $rootBases): bool {
foreach ($bases as $base) {
$ok = false;
foreach ($rootBases as $rootBase) {
if (str_ends_with($base, $rootBase)) {
$ok = true;
break;
}
}
if (!$ok) {
return false;
}
}
return true;
}

/**
* Validates the user specified configuration
* @return bool true if configuration seems OK, false otherwise
Expand Down