LDAP sync: bail if there is no schema to verify an attribute's value

Should not matter for now, but better to to catch explicitly, e.g., if
anybody ever adds new attributes or changes the default options names
without adapting this too.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 56b56d4a0278d23f239b664added052d456d0b8d..0f9403d3349ce5fd5319721d2c1184bb3ed6c4de 100755 (executable)
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -178,8 +178,11 @@ my sub verify_sync_attribute_value {
 
     return if $attr eq 'enable'; # for backwards compat, don't parse/validate
 
-    my $schema = PVE::JSONSchema::get_standard_option("user-$attr");
-    PVE::JSONSchema::validate($value, $schema, "invalid value '$value'\n");
+    if (my $schema = PVE::JSONSchema::get_standard_option("user-$attr")) {
+       PVE::JSONSchema::validate($value, $schema, "invalid value '$value'\n");
+    } else {
+       die "internal error: no schema for attribute '$attr' with value '$value' available!\n";
+    }
 }
 
 sub get_scheme_and_port {
@@ -283,6 +286,7 @@ sub get_users {
        email => 'email',
        comment => 'comment',
        keys => 'keys',
+       # NOTE: also ensure verify_sync_attribute_value can handle any new/changed attribute name
     };
     # build on the fly as this is small and only called once per realm in a ldap-sync anyway
     my $valid_sync_attributes = map { $_ => 1 } values $ldap_attribute_map->%*;