Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parameter suffix failed, because of too restrictive patterns in openldap/lib/puppet/type/openldap_database.rb #396

Closed
wkernler opened this issue Oct 13, 2023 · 2 comments · Fixed by #402
Closed

Parameter suffix failed, because of too restrictive patterns in openldap/lib/puppet/type/openldap_database.rb #396

wkernler opened this issue Oct 13, 2023 · 2 comments · Fixed by #402

Comments

@wkernler
Copy link

wkernler commented Oct 13, 2023
edited

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.26.0
  • Ruby: 2.7.6
  • Distribution: RHEL 7/8/9
  • Module version: 7.0.0

How to reproduce (e.g Puppet code you use)

openldap::server::database { 'xxOuId=AT:YY:999,dc=at': ... }

What are you seeing

Error: Failed to apply catalog: Parameter suffix failed on Openldap_database[xxOuId=AT:YY:999,dc=at]: 
Invalid value (file: /etc/puppetlabs/code/environments/xxxx/modules/openldap/manifests/server/database.pp, line: 70)

What behaviour did you expect instead

Successful creation of database

Output log

Any additional information you'd like to impart

There are two problems:

  • xxOuId is not allowed as key in the pattern
  • a collon (:) in then value is not allowed in the pattern

I could work around this error in adding an extra rule to openldap/lib/puppet/type/openldap_database.rb:

  newparam(:suffix, namevar: true) do
    desc 'The default namevar.'
      validate do |value|
        raise ArgumentError, 'Invalid value' unless [
        /\Acn=config\z/,
        /\Acn=monitor\z/,
        %r{\AxxOuId=[[:alnum:].:-]+(,(dc|o)=[[:alnum:].-]+)*\z}, # WORKAROUND: xxOuId and ':' in value
        %r{\A(dc|o)=[[:alnum:].-]+(,(dc|o)=[[:alnum:].-]+)*\z},
      ].any? do |pattern|
        pattern.match?(value)
      end
    end
  end
@wkernler wkernler changed the title Parameter suffix failed, because of too restictive patterns in openldap/lib/puppet/type/openldap_database.rb Parameter suffix failed, because of too restrictive patterns in openldap/lib/puppet/type/openldap_database.rb Oct 13, 2023
@virus2500
Copy link

Hi seems like a similiar problem i am facing in #391

@smortex
Copy link
Member

smortex commented Jan 5, 2024

Hum, I guess I was influenced by RFC2247 and also added o= support to cope with the test suite. A parser that match the grammar from RFC2253 seems needed if we want something reliable…

smortex added a commit that referenced this issue Jan 5, 2024
@smortex
Relax validation of openldap_database's suffix parameter
ed25e9f 
The validation of the `suffix` parameter assumed conformance with
RFC2247, but this is not a requirement and cause trouble to some users.

A full validation of the suffix syntax to check if it conforms to
RFC2253 is probably overkill, so for now, we just relax the used regexp
to allow valid values which where previously rejected.

Some valid DN syntax are still rejected, as supporting them would
require to replace the regexp with a parser.  Add them as known-bad
examples in the test suite (pending tests).

Fixes #391
Fixes #396
@smortex smortex mentioned this issue Jan 5, 2024
Merged
smortex added a commit that referenced this issue Jan 5, 2024
@smortex
Relax validation of openldap_database's suffix parameter
85772ef 
The validation of the `suffix` parameter assumed conformance with
RFC2247, but this is not a requirement and cause trouble to some users.

A full validation of the suffix syntax to check if it conforms to
RFC2253 is probably overkill, so for now, we just relax the used regexp
to allow valid values which where previously rejected.

Some valid DN syntax are still rejected, as supporting them would
require to replace the regexp with a parser.  Add them as known-bad
examples in the test suite (pending tests).

Fixes #391
Fixes #396
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Relax validation of openldap_database's suffix parameter voxpupuli/puppet-openldap
3 participants
@smortex @virus2500 @wkernler