Mercurial > prosody-modules
annotate mod_auth_ldap/mod_auth_ldap.lua @ 1273:1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 15 Jan 2014 14:35:27 +0100 |
parents | 3e5f8e844325 |
children | 4b15437d6c56 |
rev | line source |
---|---|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
1 -- mod_auth_ldap |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
2 |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
3 local new_sasl = require "util.sasl".new; |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
4 local lualdap = require "lualdap"; |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
5 |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
6 -- Config options |
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
7 local ldap_server = module:get_option_string("ldap_server", "localhost"); |
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
8 local ldap_rootdn = module:get_option_string("ldap_rootdn", ""); |
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
9 local ldap_password = module:get_option_string("ldap_password", ""); |
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
10 local ldap_tls = module:get_option_boolean("ldap_tls"); |
1163
52bee1247014
mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents:
1162
diff
changeset
|
11 local ldap_scope = module:get_option_string("ldap_scope", "onelevel"); |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
12 local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)"); |
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
13 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
14 |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
15 -- Initiate connection |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
16 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
17 module.unload = function() ld:close(); end |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
18 |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
19 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
20 |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
21 local function get_user(username) |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
22 module:log("debug", "get_user(%q)", username); |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
23 return ld:search({ |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
24 base = ldap_base; |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
25 scope = ldap_scope; |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
26 filter = ldap_filter:format(ldap_filter_escape(username)); |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
27 })(); |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
28 end |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
29 |
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
30 local provider = {}; |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
31 |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
32 function provider.create_user(username, password) |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
33 return nil, "Account creation not available with LDAP."; |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
34 end |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
35 |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
36 function provider.user_exists(username) |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
37 return not not get_user(username); |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
38 end |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
39 |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
40 function provider.set_password(username, password) |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
41 local dn, attr = get_user(username); |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
42 if not dn then return nil, attr end |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
43 if attr.userPassword == password then return true end |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
44 return ld:modify(dn, { '=', userPassword = password })(); |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
45 end |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
46 function provider.get_password(username) |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
47 local dn, attr = get_user(username); |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
48 if dn and attr then |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
49 return attr.userPassword; |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
50 end |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
51 end |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
52 |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
53 function provider.test_password(username, password) |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
54 return provider.get_password(username) == password; |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
55 end |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
56 |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
57 function provider.get_sasl_handler() |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
58 return new_sasl(module.host, { |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
59 plain = function(sasl, username) |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
60 local password = provider.get_password(username); |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
61 if not password then return "", nil; end |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
62 return password, true; |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
63 end |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
64 }); |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
65 end |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
66 |
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
67 module:provides("auth", provider); |