diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2008-05-14 09:47:50 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2008-05-14 09:47:50 -0400 |
| commit | 07603b45e7812db7cda6d328f362d96856b394e5 (patch) | |
| tree | ec72d7075b0b7ef47745a59c5e5e43f8bd706531 | |
| parent | d6b6e3aa24eeafd0a1ef6648d240e27af8586046 (diff) | |
| download | freeipa-07603b45e7812db7cda6d328f362d96856b394e5.tar.gz freeipa-07603b45e7812db7cda6d328f362d96856b394e5.tar.xz freeipa-07603b45e7812db7cda6d328f362d96856b394e5.zip | |
Enforce the maximum username length set by IPA Policy
439891
| -rw-r--r-- | ipa-python/ipaerror.py | 5 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 25 |
2 files changed, 30 insertions, 0 deletions
diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py index 925f510f..9357bd74 100644 --- a/ipa-python/ipaerror.py +++ b/ipa-python/ipaerror.py @@ -183,6 +183,11 @@ INPUT_SERVICE_PRINCIPAL_REQUIRED = gen_error_code( 0x000A, "You cannot remove IPA server service principals.") +INPUT_UID_TOO_LONG = gen_error_code( + INPUT_CATEGORY, + 0x0009, + "The requested username is too long.") + # # Connection errors # diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 35163265..435c9afd 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -460,6 +460,27 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return True + def __uid_too_long(self, uid, opts): + """Verify that the new uid is within the limits we set. This is a + very narrow test. + + Returns True if it is longer than allowed + False otherwise + """ + if not isinstance(uid,basestring) or len(uid) == 0: + # It is bad, but not too long + return False + logging.debug("IPA: __uid_too_long(%s)" % uid) + try: + config = self.get_ipa_config(opts) + maxlen = int(config.get('ipamaxusernamelength', 0)) + if maxlen > 0 and len(uid) > maxlen: + return True + except Exception, e: + logging.debug("There was a problem " + str(e)) + + return False + def get_user_by_uid (self, uid, sattrs, opts=None): """Get a specific user's entry. Return as a dict of values. Multi-valued fields are represented as lists. @@ -531,6 +552,8 @@ class IPAServer: if not self.__is_user_unique(user['uid'], opts): raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) + if self.__uid_too_long(user['uid'], opts): + raise ipaerror.gen_exception(ipaerror.INPUT_UID_TOO_LONG) # dn is set here, not by the user try: @@ -1016,6 +1039,8 @@ class IPAServer: newrdn = 0 if oldentry.get('uid') != newentry.get('uid'): + if self.__uid_too_long(newentry.get('uid'), opts): + raise ipaerror.gen_exception(ipaerror.INPUT_UID_TOO_LONG) # RDN change conn = self.getConnection(opts) try: |