annotate mod_auth_ldap/mod_auth_ldap.lua @ 1200:34216cdffda6

mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
author Matthew Wild <mwild1@gmail.com>
date Thu, 26 Sep 2013 18:14:45 +0100
parents db4085433e5f
children 3e5f8e844325
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
1
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
2 local new_sasl = require "util.sasl".new;
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
3 local log = require "util.logger".init("auth_ldap");
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
4
1162
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
5 local ldap_server = module:get_option_string("ldap_server", "localhost");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
6 local ldap_rootdn = module:get_option_string("ldap_rootdn", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
7 local ldap_password = module:get_option_string("ldap_password", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
8 local ldap_tls = module:get_option_boolean("ldap_tls");
1163
52bee1247014 mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents: 1162
diff changeset
9 local ldap_scope = module:get_option_string("ldap_scope", "onelevel");
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
10 local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)");
1162
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
11 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
12
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
13 local lualdap = require "lualdap";
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
14 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
15 module.unload = function() ld:close(); end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
16
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
17 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
18
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
19 local function get_user(username)
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
20 module:log("debug", "get_user(%q)", username);
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
21 return ld:search({
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
22 base = ldap_base;
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
23 scope = ldap_scope;
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
24 filter = ldap_filter:format(ldap_filter_escape(username));
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
25 })();
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
26 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
27
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 342
diff changeset
28 local provider = {};
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
29
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
30 function provider.get_password(username)
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
31 local dn, attr = get_user(username);
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
32 if dn and attr then
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
33 return attr.userPassword;
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
34 end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
35 end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
36
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
37 function provider.test_password(username, password)
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
38 return provider.get_password(username) == password;
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
39 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
40 function provider.user_exists(username)
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
41 return not not get_user(username);
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
42 end
1192
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
43 function provider.set_password(username, password)
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
44 local dn, attr = get_user(username);
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
45 if not dn then return nil, attr end
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
46 if attr.password ~= password then
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
47 ld:modify(dn, { '=', userPassword = password });
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
48 end
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
49 return true
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
50 end
db4085433e5f mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents: 1190
diff changeset
51 function provider.create_user(username, password) return nil, "Account creation not available with LDAP."; end
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
52
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
53 function provider.get_sasl_handler()
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
54 return new_sasl(module.host, {
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
55 plain = function(sasl, username)
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
56 local password = provider.get_password(username);
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
57 if not password then return "", nil; end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
58 return password, true;
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
59 end
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
60 });
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
61 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
62
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 342
diff changeset
63 module:provides("auth", provider);