809
+ − 1 -- vim:sts=4 sw=4
+ − 2
+ − 3 -- Prosody IM
+ − 4 -- Copyright (C) 2008-2010 Matthew Wild
+ − 5 -- Copyright (C) 2008-2010 Waqas Hussain
+ − 6 -- Copyright (C) 2012 Rob Hoelz
+ − 7 --
+ − 8 -- This project is MIT/X11 licensed. Please see the
+ − 9 -- COPYING file in the source package for more information.
+ − 10 --
+ − 11
+ − 12 local ldap ;
+ − 13 local connection ;
+ − 14 local params = module : get_option ( "ldap" );
+ − 15 local format = string.format ;
+ − 16 local tconcat = table.concat ;
+ − 17
+ − 18 local _M = {};
+ − 19
+ − 20 local config_params = {
+ − 21 hostname = 'string' ,
+ − 22 user = {
+ − 23 basedn = 'string' ,
+ − 24 namefield = 'string' ,
+ − 25 filter = 'string' ,
+ − 26 usernamefield = 'string' ,
+ − 27 },
+ − 28 groups = {
+ − 29 basedn = 'string' ,
+ − 30 namefield = 'string' ,
+ − 31 memberfield = 'string' ,
+ − 32
+ − 33 _member = {
+ − 34 name = 'string' ,
+ − 35 admin = 'boolean?' ,
+ − 36 },
+ − 37 },
+ − 38 admin = {
+ − 39 _optional = true ,
+ − 40 basedn = 'string' ,
+ − 41 namefield = 'string' ,
+ − 42 filter = 'string' ,
+ − 43 }
+ − 44 }
+ − 45
+ − 46 local function run_validation ( params , config , prefix )
+ − 47 prefix = prefix or '' ;
+ − 48
+ − 49 -- verify that every required member of config is present in params
+ − 50 for k , v in pairs ( config ) do
+ − 51 if type ( k ) == 'string' and k : sub ( 1 , 1 ) ~= '_' then
+ − 52 local is_optional ;
+ − 53 if type ( v ) == 'table' then
+ − 54 is_optional = v . _optional ;
+ − 55 else
+ − 56 is_optional = v : sub ( - 1 ) == '?' ;
+ − 57 end
+ − 58
+ − 59 if not is_optional and params [ k ] == nil then
+ − 60 return nil , prefix .. k .. ' is required' ;
+ − 61 end
+ − 62 end
+ − 63 end
+ − 64
+ − 65 for k , v in pairs ( params ) do
+ − 66 local expected_type = config [ k ];
+ − 67
+ − 68 local ok , err = true ;
+ − 69
+ − 70 if type ( k ) == 'string' then
+ − 71 -- verify that this key is present in config
+ − 72 if k : sub ( 1 , 1 ) == '_' or expected_type == nil then
+ − 73 return nil , 'invalid parameter ' .. prefix .. k ;
+ − 74 end
+ − 75
+ − 76 -- type validation
+ − 77 if type ( expected_type ) == 'string' then
+ − 78 if expected_type : sub ( - 1 ) == '?' then
+ − 79 expected_type = expected_type : sub ( 1 , - 2 );
+ − 80 end
+ − 81
+ − 82 if type ( v ) ~= expected_type then
+ − 83 return nil , 'invalid type for parameter ' .. prefix .. k ;
+ − 84 end
+ − 85 else -- it's a table (or had better be)
+ − 86 if type ( v ) ~= 'table' then
+ − 87 return nil , 'invalid type for parameter ' .. prefix .. k ;
+ − 88 end
+ − 89
+ − 90 -- recurse into child
+ − 91 ok , err = run_validation ( v , expected_type , prefix .. k .. '.' );
+ − 92 end
+ − 93 else -- it's an integer (or had better be)
+ − 94 if not config . _member then
+ − 95 return nil , 'invalid parameter ' .. prefix .. tostring ( k );
+ − 96 end
+ − 97 ok , err = run_validation ( v , config . _member , prefix .. tostring ( k ) .. '.' );
+ − 98 end
+ − 99
+ − 100 if not ok then
+ − 101 return ok , err ;
+ − 102 end
+ − 103 end
+ − 104
+ − 105 return true ;
+ − 106 end
+ − 107
+ − 108 local function validate_config ()
+ − 109 if true then
+ − 110 return true ; -- XXX for now
+ − 111 end
+ − 112
+ − 113 -- this is almost too clever (I mean that in a bad
+ − 114 -- maintainability sort of way)
+ − 115 --
+ − 116 -- basically this allows a free pass for a key in group members
+ − 117 -- equal to params.groups.namefield
+ − 118 setmetatable ( config_params . groups . _member , {
+ − 119 __index = function ( _ , k )
+ − 120 if k == params . groups . namefield then
+ − 121 return 'string' ;
+ − 122 end
+ − 123 end
+ − 124 });
+ − 125
+ − 126 local ok , err = run_validation ( params , config_params );
+ − 127
+ − 128 setmetatable ( config_params . groups . _member , nil );
+ − 129
+ − 130 if ok then
+ − 131 -- a little extra validation that doesn't fit into
+ − 132 -- my recursive checker
+ − 133 local group_namefield = params . groups . namefield ;
+ − 134 for i , group in ipairs ( params . groups ) do
+ − 135 if not group [ group_namefield ] then
+ − 136 return nil , format ( 'groups.%d.%s is required' , i , group_namefield );
+ − 137 end
+ − 138 end
+ − 139
+ − 140 -- fill in params.admin if you can
+ − 141 if not params . admin and params . groups then
+ − 142 local admingroup ;
+ − 143
+ − 144 for _ , groupconfig in ipairs ( params . groups ) do
+ − 145 if groupconfig . admin then
+ − 146 admingroup = groupconfig ;
+ − 147 break ;
+ − 148 end
+ − 149 end
+ − 150
+ − 151 if admingroup then
+ − 152 params . admin = {
+ − 153 basedn = params . groups . basedn ,
+ − 154 namefield = params . groups . memberfield ,
+ − 155 filter = group_namefield .. '=' .. admingroup [ group_namefield ],
+ − 156 };
+ − 157 end
+ − 158 end
+ − 159 end
+ − 160
+ − 161 return ok , err ;
+ − 162 end
+ − 163
+ − 164 -- what to do if connection isn't available?
+ − 165 local function connect ()
+ − 166 return ldap . open_simple ( params . hostname , params . bind_dn , params . bind_password , params . use_tls );
+ − 167 end
+ − 168
+ − 169 -- this is abstracted so we can maintain persistent connections at a later time
+ − 170 function _M . getconnection ()
+ − 171 return connect ();
+ − 172 end
+ − 173
+ − 174 function _M . getparams ()
+ − 175 return params ;
+ − 176 end
+ − 177
+ − 178 -- XXX consider renaming this...it doesn't bind the current connection
+ − 179 function _M . bind ( username , password )
+ − 180 local who = format ( '%s=%s,%s' , params . user . usernamefield , username , params . user . basedn );
+ − 181 local conn , err = ldap . open_simple ( params . hostname , who , password , params . use_tls );
+ − 182
+ − 183 if conn then
+ − 184 conn : close ();
+ − 185 return true ;
+ − 186 end
+ − 187
+ − 188 return conn , err ;
+ − 189 end
+ − 190
+ − 191 function _M . singlematch ( query )
+ − 192 local ld = _M . getconnection ();
+ − 193
+ − 194 query . sizelimit = 1 ;
+ − 195 query . scope = 'onelevel' ;
+ − 196
+ − 197 for dn , attribs in ld : search ( query ) do
+ − 198 return attribs ;
+ − 199 end
+ − 200 end
+ − 201
+ − 202 _M . filter = {};
+ − 203
+ − 204 function _M . filter . combine_and (...)
+ − 205 local parts = { '(&' };
+ − 206
+ − 207 local arg = { ... };
+ − 208
+ − 209 for _ , filter in ipairs ( arg ) do
+ − 210 if filter : sub ( 1 , 1 ) ~= '(' and filter : sub ( - 1 ) ~= ')' then
+ − 211 filter = '(' .. filter .. ')'
+ − 212 end
+ − 213 parts [ # parts + 1 ] = filter ;
+ − 214 end
+ − 215
+ − 216 parts [ # parts + 1 ] = ')' ;
+ − 217
+ − 218 return tconcat ( parts , '' );
+ − 219 end
+ − 220
+ − 221 do
+ − 222 local ok , err ;
+ − 223
+ − 224 prosody . unlock_globals ();
+ − 225 ok , ldap = pcall ( require , 'lualdap' );
+ − 226 prosody . lock_globals ();
+ − 227 if not ok then
+ − 228 module : log ( "error" , "Failed to load the LuaLDAP library for accessing LDAP: %s" , ldap );
+ − 229 module : log ( "error" , "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap" );
+ − 230 return ;
+ − 231 end
+ − 232
+ − 233 if not params then
+ − 234 module : log ( "error" , "LDAP configuration required to use the LDAP storage module" );
+ − 235 return ;
+ − 236 end
+ − 237
+ − 238 ok , err = validate_config ();
+ − 239
+ − 240 if not ok then
+ − 241 module : log ( "error" , "LDAP configuration is invalid: %s" , tostring ( err ));
+ − 242 return ;
+ − 243 end
+ − 244 end
+ − 245
+ − 246 return _M ;
