};
}
+my $valid_sync_attributes = {
+ username => 1,
+ enable => 1,
+ expire => 1,
+ firstname => 1,
+ lastname => 1,
+ email => 1,
+ comment => 1,
+ keys => 1,
+};
+
+my sub verify_sync_attribute {
+ my ($attr, $value) = @_;
+
+ die "cannot map to invalid user sync attribute '$attr'\n" if !$valid_sync_attributes->{$attr};
+
+ # The attribute does not include the realm, so can't use PVE::Auth::Plugin::verify_username
+ if ($attr eq 'username') {
+ die "value '$value' does not look like a valid user name\n"
+ if $value !~ m/${PVE::Auth::Plugin::user_regex}/;
+ return;
+ }
+
+ return if $attr eq 'enable'; # for backwards compat, don't parse/validate
+
+ my $schema = PVE::JSONSchema::get_standard_option("user-$attr");
+ PVE::JSONSchema::validate($value, $schema, "invalid value '$value'\n");
+}
+
sub get_scheme_and_port {
my ($class, $config) = @_;
foreach my $attr (PVE::Tools::split_list($config->{sync_attributes})) {
my ($ours, $ldap) = ($attr =~ m/^\s*(\w+)=(.*)\s*$/);
+ if (!$valid_sync_attributes->{$ours}) {
+ warn "bad 'sync_attributes': cannot map to invalid attribute '$ours'\n";
+ next;
+ }
$ldap_attribute_map->{$ldap} = $ours;
}
foreach my $attr (keys %$user_attributes) {
if (my $ours = $ldap_attribute_map->{$attr}) {
- $ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
+ my $value = $user_attributes->{$attr}->[0];
+ eval { verify_sync_attribute($ours, $value) };
+ if (my $err = $@) {
+ warn "skipping attribute mapping '$attr'->'$ours' for user '$username' - $err";
+ next;
+ }
+ $ret->{$username}->{$ours} = $value;
}
}