[dev.icinga.com #11114] Validate that a proper root DN is set for LDAP resources

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/11114

Created by buzzdeee on 2016-02-08 21:13:48 +00:00

Assignee: aklimov
Status: Resolved (closed on 2016-02-09 09:35:03 +00:00)
Target Version: 2.2.0
Last Update: 2016-02-09 12:55:40 +00:00 (in Redmine)

---

I use icingaweb2 2.1.2, and I (accidently) had an ldap resource configured like this:

[icingaweb2_ldap]
type = "ldap"
port = "389"
hostname = "localhost"
encryption = "none"
root_dn = ""
bind_dn = ""
bind_pw = ""

with that, when I go to:
/icingaweb2/user/list

everything is fine,
but when I go to:
/icingaweb2/group/list

I get error message in the web interface and in logs like this:

ErrorException in /icinga-web2/library/Icinga/Repository/LdapRepository.php:87 with message: strpos(): Empty needle

to better illustrate the problem, this was my kind of hackish way to work around it, before I figured,
that I should just set a proper root_dn for my LDAP resource:

--- library/Icinga/Repository/LdapRepository.php.orig Mon Feb 8 12:06:05 2016

**+ library/Icinga/Repository/LdapRepository.php Mon Feb 8 12:06:44 2016
@ -83,6 +83,10 @ abstract class LdapRepository extends Repository
{
$normalizedDn = strtolower(join(',', array_map('trim', explode(',', $dn))));
$normalizedBaseDn = strtolower(join(',', array_map('trim', explode(',', $baseDn ?: $this~~ds~~>getDn()))));

• return strpos($normalizedDn, $normalizedBaseDn) ! false;

•    if (empty($normalizedBaseDn)) {
  

•      return false;
  

•    } else {
  

•      return strpos($normalizedDn, $normalizedBaseDn) ! false;
  

• }
  }
  }

Changesets

2016-02-09 09:14:11 +00:00 by aklimov ee66917

LdapConnection: disallow an empty root DN

refs #11114

2016-02-09 09:29:08 +00:00 by aklimov 34afcc0

LdapConnection: disallow an empty root DN

fixes #11114

---

Relations:

• duplicates #11114

[icinga-migration]

Updated by jmeyer on 2016-02-09 08:20:02 +00:00

• Subject changed from LDAP group authorization configuration issue when root_dn is empty in LDAP resource to Validate that a proper root DN is set for LDAP resources
• Category changed from Authentication & Authorization to Configuration
• Status changed from New to Assigned
• Assigned to set to aklimov
• Target Version set to 2.2.0

Hi,

thanks for your report. This is a common issue in the last months, but no one created an ticket for it. Again, thanks for the reminder! :)

We'll take care of it asap.

Best regards,
Johannes

[icinga-migration]

Updated by aklimov on 2016-02-09 09:16:59 +00:00

• Status changed from Assigned to Feedback
• Assigned to changed from aklimov to jmeyer

[icinga-migration]

Updated by aklimov on 2016-02-09 09:35:03 +00:00

• Status changed from Feedback to Resolved
• Done % changed from 0 to 100

Applied in changeset 34afcc0.

[icinga-migration]

Updated by jmeyer on 2016-02-09 12:55:41 +00:00

• Assigned to changed from jmeyer to aklimov

[icinga-migration]

Updated by jmeyer on 2016-06-04 14:37:27 +00:00

• Duplicated set to 10747