add validation to prevent filters on dn lookups by deads2k · Pull Request #9134 · openshift/origin

deads2k · 2016-06-02T12:48:39Z

Bug https://bugzilla.redhat.com/show_bug.cgi?id=1339325

Tightens validation for ldap sync config. Filters on dn lookups don't work.

@stevekuznetsov can you tag this for the right extended test?

stevekuznetsov · 2016-06-02T13:03:50Z

[testonlyextended][extended:ldap_groups]

deads2k · 2016-06-02T13:05:12Z

[test]

stevekuznetsov · 2016-06-02T13:40:32Z

error: validation of LDAP sync config failed: usersQuery.filter: Invalid value: "(objectclass=inetOrgPerson)": cannot specify a filter when using "dn" as the UID attribute
See 'oadm groups sync -h' for help and examples.
!!! Error in test/extended/ldap_groups.sh:231
    'oadm groups sync --sync-config=sync-config-paging.yaml --confirm' exited with status 1

hoisted by your own petard?

deads2k · 2016-06-02T13:42:34Z

hoisted by your own petard?

I blame the guy who wrote a set of tests that were wrong :).

deads2k · 2016-06-02T16:54:14Z

@stevekuznetsov other than the test, anything?

stevekuznetsov · 2016-06-02T17:14:28Z

pkg/cmd/server/api/validation/ldap.go

+		return validationResults
+	}
+
 	if _, err := ldap.CompileFilter(query.Filter); err != nil {


This implicitly disallows not specifying a filter, so how is the validation not failing for those missing filters?

stevekuznetsov · 2016-06-02T17:15:58Z

This allows queries without filters, which complicates the config substantially... let's see the Docs PR to determine how onerous it is to explain this.

deads2k · 2016-06-02T17:40:41Z

This allows queries without filters, which complicates the config substantially... let's see the Docs PR to determine how onerous it is to explain this.

It only allows them when the caller explicitly says, "this exact one (not category) will only be used to lookup dns". I don't think it affects docs at all. Even if it does, do you see us not doing this?

stevekuznetsov · 2016-06-02T17:46:16Z

I understand it's correct, but clearly there is a documentation gap -- we should definitely doc that a filter is not expected and will not be used if the UID attribute for a query is the DN.

openshift-bot · 2016-06-03T14:55:21Z

Evaluated for origin testonlyextended up to 9351adc

openshift-bot · 2016-06-03T14:55:31Z

Evaluated for origin test up to 9351adc

openshift-bot · 2016-06-03T15:24:05Z

continuous-integration/openshift-jenkins/testonlyextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin_extended/206/) (Extended Tests: ldap_groups)

deads2k · 2016-06-03T15:38:13Z

[merge]

openshift-bot · 2016-06-03T15:40:33Z

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4422/) (Image: devenv-rhel7_4311)

openshift-bot · 2016-06-03T15:40:34Z

Evaluated for origin merge up to 9351adc

openshift-bot · 2016-06-03T16:03:34Z

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4422/)

Delete filter due to openshift/origin#9134

deads2k assigned stevekuznetsov Jun 2, 2016

deads2k force-pushed the fix-ldap branch from 8040966 to b35a278 Compare June 2, 2016 16:53

stevekuznetsov reviewed Jun 2, 2016
View reviewed changes

add validation to prevent filters on dn lookups

9351adc

deads2k force-pushed the fix-ldap branch from b35a278 to 9351adc Compare June 3, 2016 14:50

openshift-bot merged commit ad7eca0 into openshift:master Jun 3, 2016

wsun1 added a commit to openshift-qe/v3-testfiles that referenced this pull request Aug 4, 2016

Merge pull request #418 from wjiangjay/patch-4

42bb241

Delete filter due to openshift/origin#9134

deads2k deleted the fix-ldap branch September 6, 2016 17:14

Conversation

deads2k commented Jun 2, 2016

Uh oh!

stevekuznetsov commented Jun 2, 2016

Uh oh!

deads2k commented Jun 2, 2016

Uh oh!

stevekuznetsov commented Jun 2, 2016

Uh oh!

deads2k commented Jun 2, 2016

Uh oh!

deads2k commented Jun 2, 2016

Uh oh!

stevekuznetsov Jun 2, 2016

Choose a reason for hiding this comment

Uh oh!

stevekuznetsov commented Jun 2, 2016

Uh oh!

deads2k commented Jun 2, 2016

Uh oh!

stevekuznetsov commented Jun 2, 2016

Uh oh!

openshift-bot commented Jun 3, 2016

Uh oh!

openshift-bot commented Jun 3, 2016

Uh oh!

openshift-bot commented Jun 3, 2016

Uh oh!

deads2k commented Jun 3, 2016

Uh oh!

openshift-bot commented Jun 3, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-bot commented Jun 3, 2016

Uh oh!

openshift-bot commented Jun 3, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

openshift-bot commented Jun 3, 2016 •

edited

Loading