#1259 LDAP boolean values are improperly set
Closed: Fixed None Opened 12 years ago by simo.

I've found that the admin account by default has a nsaccountlock value of 'False'.
This is incorrect, according to RFC 4517 the only valid values for a boolean are: TRUE or FALSE (all capital).

Any occurrence of any other for to represent a boolean should be corrected as 'False', strictly speaking, should be considered a malformed value.
This means, also strictly speaking that the admin account should be considered disabled by default as the nsaccountlock attribute contains invalid data and disabling is the more 'conservative' option security wise.


Reassign to me. There are two parts here: Bool class is hiding actual values from python code so for LDAP->framework we can simply extend Bool's implementation of scalar value convertor by adding u'TRUE' and u'FALSE' to list of accepted constants.

On the other direction, framework->LDAP, one needs to treat Bool parameters specifically, to enforce TRUE/FALSE instead of True/False. This would require a bit more scattered fixes in ipalib/plugins/baseldap.py and around.

In general, it should be responsibility of framework's points talking to external sources to ensure proper conversion/encoding of the parameters. By doing so we also avoid spreading out this knowledge to all other plugins, which is good.

Patch is sent for review

Mark the ticket as having the patch on review.

Related improvement commited:

master: b93e0b8

Metadata Update from @simo:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 2.1 - 2011/07

7 years ago

Login to comment on this ticket.

Metadata