LdapUserGroupBackend: Do not permit to link different directories

I cannot think of a valid usecase right now. In case someone got one, revert this commit and make use of the backend itself and not only its configuration. refs #7343
2015-06-05 10:51:54 +02:00 · 2015-06-05 10:51:54 +02:00 · 02d2ea682e
parent 0ab192cd1f
commit 02d2ea682e
1 changed files with 12 additions and 1 deletions
--- a/library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
+++ b/library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
@ -544,7 +544,7 @@ class LdapUserGroupBackend /*extends LdapRepository*/ implements UserGroupBacken
     *
     * @return  $this
     *
-     * @throws  ConfigurationError      In case a linked user backend does not exist or is not a LdapUserBackend
+     * @throws  ConfigurationError      In case a linked user backend does not exist or is invalid
     */
    public function setConfig(ConfigObject $config)
    {
@ -562,6 +562,17 @@ class LdapUserGroupBackend /*extends LdapRepository*/ implements UserGroupBacken
                throw new ConfigurationError('User backend "%s" is not of type LDAP', $config->user_backend);
            }

+            if (
+                $this->ds->getHostname() !== $userBackend->getDataSource()->getHostname()
+                || $this->ds->getPort() !== $userBackend->getDataSource()->getPort()
+            ) {
+                // TODO(jom): Elaborate whether it makes sense to link directories on different hosts
+                throw new ConfigurationError(
+                    'It is required that a linked user backend refers to the '
+                    . 'same directory as it\'s user group backend counterpart'
+                );
+            }
+
            $defaults->merge(array(
                'user_base_dn'          => $userBackend->getBaseDn(),
                'user_class'            => $userBackend->getUserClass(),