annotate mod_lib_ldap/ldap.lib.lua @ 4269:143515d0b212

mod_http_oauth2: Factor out authorization code validity decision I intend to use it for a couple of more things, so having a single definition helps keep things tidy
author Kim Alvefur <zash@zash.se>
date Sun, 22 Nov 2020 18:39:55 +0100
parents 66b3085ecc49
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
1 -- vim:sts=4 sw=4
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
2
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
3 -- Prosody IM
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
4 -- Copyright (C) 2008-2010 Matthew Wild
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
5 -- Copyright (C) 2008-2010 Waqas Hussain
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
6 -- Copyright (C) 2012 Rob Hoelz
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
7 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
8 -- This project is MIT/X11 licensed. Please see the
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
9 -- COPYING file in the source package for more information.
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
10 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
11
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
12 local ldap;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
13 local connection;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
14 local params = module:get_option("ldap");
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
15 local format = string.format;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
16 local tconcat = table.concat;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
17
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
18 local _M = {};
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
19
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
20 local config_params = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
21 hostname = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
22 user = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
23 basedn = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
24 namefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
25 filter = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
26 usernamefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
27 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
28 groups = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
29 basedn = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
30 namefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
31 memberfield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
32
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
33 _member = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
34 name = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
35 admin = 'boolean?',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
36 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
37 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
38 admin = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
39 _optional = true,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
40 basedn = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
41 namefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
42 filter = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
43 }
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
44 }
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
45
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
46 local function run_validation(params, config, prefix)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
47 prefix = prefix or '';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
48
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
49 -- verify that every required member of config is present in params
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
50 for k, v in pairs(config) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
51 if type(k) == 'string' and k:sub(1, 1) ~= '_' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
52 local is_optional;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
53 if type(v) == 'table' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
54 is_optional = v._optional;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
55 else
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
56 is_optional = v:sub(-1) == '?';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
57 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
58
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
59 if not is_optional and params[k] == nil then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
60 return nil, prefix .. k .. ' is required';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
61 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
62 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
63 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
64
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
65 for k, v in pairs(params) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
66 local expected_type = config[k];
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
67
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
68 local ok, err = true;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
69
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
70 if type(k) == 'string' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
71 -- verify that this key is present in config
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
72 if k:sub(1, 1) == '_' or expected_type == nil then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
73 return nil, 'invalid parameter ' .. prefix .. k;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
74 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
75
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
76 -- type validation
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
77 if type(expected_type) == 'string' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
78 if expected_type:sub(-1) == '?' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
79 expected_type = expected_type:sub(1, -2);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
80 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
81
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
82 if type(v) ~= expected_type then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
83 return nil, 'invalid type for parameter ' .. prefix .. k;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
84 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
85 else -- it's a table (or had better be)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
86 if type(v) ~= 'table' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
87 return nil, 'invalid type for parameter ' .. prefix .. k;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
88 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
89
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
90 -- recurse into child
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
91 ok, err = run_validation(v, expected_type, prefix .. k .. '.');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
92 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
93 else -- it's an integer (or had better be)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
94 if not config._member then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
95 return nil, 'invalid parameter ' .. prefix .. tostring(k);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
96 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
97 ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
98 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
99
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
100 if not ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
101 return ok, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
102 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
103 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
104
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
105 return true;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
106 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
107
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
108 local function validate_config()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
109 if true then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
110 return true; -- XXX for now
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
111 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
112
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
113 -- this is almost too clever (I mean that in a bad
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
114 -- maintainability sort of way)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
115 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
116 -- basically this allows a free pass for a key in group members
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
117 -- equal to params.groups.namefield
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
118 setmetatable(config_params.groups._member, {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
119 __index = function(_, k)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
120 if k == params.groups.namefield then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
121 return 'string';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
122 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
123 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
124 });
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
125
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
126 local ok, err = run_validation(params, config_params);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
127
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
128 setmetatable(config_params.groups._member, nil);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
129
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
130 if ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
131 -- a little extra validation that doesn't fit into
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
132 -- my recursive checker
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
133 local group_namefield = params.groups.namefield;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
134 for i, group in ipairs(params.groups) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
135 if not group[group_namefield] then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
136 return nil, format('groups.%d.%s is required', i, group_namefield);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
137 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
138 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
139
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
140 -- fill in params.admin if you can
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
141 if not params.admin and params.groups then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
142 local admingroup;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
143
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
144 for _, groupconfig in ipairs(params.groups) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
145 if groupconfig.admin then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
146 admingroup = groupconfig;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
147 break;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
148 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
149 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
150
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
151 if admingroup then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
152 params.admin = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
153 basedn = params.groups.basedn,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
154 namefield = params.groups.memberfield,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
155 filter = group_namefield .. '=' .. admingroup[group_namefield],
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
156 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
157 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
158 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
159 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
160
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
161 return ok, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
162 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
163
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
164 -- what to do if connection isn't available?
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
165 local function connect()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
166 return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
167 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
168
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
169 -- this is abstracted so we can maintain persistent connections at a later time
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
170 function _M.getconnection()
3195
66b3085ecc49 mod_lib_ldap: assert() connection for hopefully better error reporting (thanks adac)
Matthew Wild <mwild1@gmail.com>
parents: 877
diff changeset
171 return assert(connect());
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
172 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
173
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
174 function _M.getparams()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
175 return params;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
176 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
177
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
178 -- XXX consider renaming this...it doesn't bind the current connection
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
179 function _M.bind(username, password)
877
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
180 local conn = _M.getconnection();
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
181 local filter = format('%s=%s', params.user.usernamefield, username);
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
182
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
183 if filter then
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
184 filter = _M.filter.combine_and(filter, params.user.filter);
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
185 end
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
186
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
187 local who = _M.singlematch {
864
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
188 attrs = params.user.usernamefield,
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
189 base = params.user.basedn,
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
190 filter = filter,
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
191 };
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
192
870
13e645340767 Use singlematch to find user record in ldap.bind
Rob Hoelz <rob@hoelz.ro>
parents: 869
diff changeset
193 if who then
13e645340767 Use singlematch to find user record in ldap.bind
Rob Hoelz <rob@hoelz.ro>
parents: 869
diff changeset
194 who = who.dn;
13e645340767 Use singlematch to find user record in ldap.bind
Rob Hoelz <rob@hoelz.ro>
parents: 869
diff changeset
195 module:log('debug', '_M.bind - who: %s', who);
871
e4a03e58f896 Log and return failure if user record not found in bind
Rob Hoelz <rob@hoelz.ro>
parents: 870
diff changeset
196 else
e4a03e58f896 Log and return failure if user record not found in bind
Rob Hoelz <rob@hoelz.ro>
parents: 870
diff changeset
197 module:log('debug', '_M.bind - no DN found for username = %s', username);
e4a03e58f896 Log and return failure if user record not found in bind
Rob Hoelz <rob@hoelz.ro>
parents: 870
diff changeset
198 return nil, format('no DN found for username = %s', username);
864
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
199 end
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
200
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
201 local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
202
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
203 if conn then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
204 conn:close();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
205 return true;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
206 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
207
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
208 return conn, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
209 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
210
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
211 function _M.singlematch(query)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
212 local ld = _M.getconnection();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
213
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
214 query.sizelimit = 1;
868
0017518c94a0 Change singlematch to search subtrees
Rob Hoelz <rob@hoelz.ro>
parents: 864
diff changeset
215 query.scope = 'subtree';
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
216
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
217 for dn, attribs in ld:search(query) do
869
ec791fd8ce87 Return DN in the attributes table with singlematch
Rob Hoelz <rob@hoelz.ro>
parents: 868
diff changeset
218 attribs.dn = dn;
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
219 return attribs;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
220 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
221 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
222
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
223 _M.filter = {};
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
224
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
225 function _M.filter.combine_and(...)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
226 local parts = { '(&' };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
227
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
228 local arg = { ... };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
229
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
230 for _, filter in ipairs(arg) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
231 if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
232 filter = '(' .. filter .. ')'
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
233 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
234 parts[#parts + 1] = filter;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
235 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
236
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
237 parts[#parts + 1] = ')';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
238
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
239 return tconcat(parts, '');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
240 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
241
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
242 do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
243 local ok, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
244
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
245 prosody.unlock_globals();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
246 ok, ldap = pcall(require, 'lualdap');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
247 prosody.lock_globals();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
248 if not ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
249 module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
250 module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap");
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
251 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
252 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
253
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
254 if not params then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
255 module:log("error", "LDAP configuration required to use the LDAP storage module");
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
256 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
257 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
258
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
259 ok, err = validate_config();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
260
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
261 if not ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
262 module:log("error", "LDAP configuration is invalid: %s", tostring(err));
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
263 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
264 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
265 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
266
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
267 return _M;