annotate mod_lib_ldap/ldap.lib.lua @ 5256:44f7edd4f845

mod_http_oauth2: Reject non-local hosts in more code paths We're not issuing tokens for users on remote hosts, we can't even authenticate them since they're remote. Thus the host is always the local module.host so no need to pass around the host in most cases or use it for anything but enforcing the same host.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 17:52:10 +0100
parents 66b3085ecc49
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
1 -- vim:sts=4 sw=4
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
2
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
3 -- Prosody IM
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
4 -- Copyright (C) 2008-2010 Matthew Wild
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
5 -- Copyright (C) 2008-2010 Waqas Hussain
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
6 -- Copyright (C) 2012 Rob Hoelz
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
7 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
8 -- This project is MIT/X11 licensed. Please see the
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
9 -- COPYING file in the source package for more information.
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
10 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
11
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
12 local ldap;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
13 local connection;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
14 local params = module:get_option("ldap");
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
15 local format = string.format;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
16 local tconcat = table.concat;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
17
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
18 local _M = {};
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
19
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
20 local config_params = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
21 hostname = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
22 user = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
23 basedn = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
24 namefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
25 filter = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
26 usernamefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
27 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
28 groups = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
29 basedn = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
30 namefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
31 memberfield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
32
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
33 _member = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
34 name = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
35 admin = 'boolean?',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
36 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
37 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
38 admin = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
39 _optional = true,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
40 basedn = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
41 namefield = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
42 filter = 'string',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
43 }
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
44 }
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
45
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
46 local function run_validation(params, config, prefix)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
47 prefix = prefix or '';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
48
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
49 -- verify that every required member of config is present in params
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
50 for k, v in pairs(config) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
51 if type(k) == 'string' and k:sub(1, 1) ~= '_' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
52 local is_optional;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
53 if type(v) == 'table' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
54 is_optional = v._optional;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
55 else
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
56 is_optional = v:sub(-1) == '?';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
57 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
58
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
59 if not is_optional and params[k] == nil then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
60 return nil, prefix .. k .. ' is required';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
61 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
62 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
63 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
64
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
65 for k, v in pairs(params) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
66 local expected_type = config[k];
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
67
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
68 local ok, err = true;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
69
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
70 if type(k) == 'string' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
71 -- verify that this key is present in config
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
72 if k:sub(1, 1) == '_' or expected_type == nil then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
73 return nil, 'invalid parameter ' .. prefix .. k;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
74 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
75
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
76 -- type validation
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
77 if type(expected_type) == 'string' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
78 if expected_type:sub(-1) == '?' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
79 expected_type = expected_type:sub(1, -2);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
80 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
81
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
82 if type(v) ~= expected_type then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
83 return nil, 'invalid type for parameter ' .. prefix .. k;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
84 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
85 else -- it's a table (or had better be)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
86 if type(v) ~= 'table' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
87 return nil, 'invalid type for parameter ' .. prefix .. k;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
88 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
89
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
90 -- recurse into child
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
91 ok, err = run_validation(v, expected_type, prefix .. k .. '.');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
92 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
93 else -- it's an integer (or had better be)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
94 if not config._member then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
95 return nil, 'invalid parameter ' .. prefix .. tostring(k);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
96 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
97 ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
98 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
99
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
100 if not ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
101 return ok, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
102 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
103 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
104
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
105 return true;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
106 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
107
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
108 local function validate_config()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
109 if true then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
110 return true; -- XXX for now
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
111 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
112
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
113 -- this is almost too clever (I mean that in a bad
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
114 -- maintainability sort of way)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
115 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
116 -- basically this allows a free pass for a key in group members
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
117 -- equal to params.groups.namefield
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
118 setmetatable(config_params.groups._member, {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
119 __index = function(_, k)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
120 if k == params.groups.namefield then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
121 return 'string';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
122 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
123 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
124 });
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
125
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
126 local ok, err = run_validation(params, config_params);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
127
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
128 setmetatable(config_params.groups._member, nil);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
129
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
130 if ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
131 -- a little extra validation that doesn't fit into
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
132 -- my recursive checker
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
133 local group_namefield = params.groups.namefield;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
134 for i, group in ipairs(params.groups) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
135 if not group[group_namefield] then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
136 return nil, format('groups.%d.%s is required', i, group_namefield);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
137 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
138 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
139
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
140 -- fill in params.admin if you can
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
141 if not params.admin and params.groups then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
142 local admingroup;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
143
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
144 for _, groupconfig in ipairs(params.groups) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
145 if groupconfig.admin then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
146 admingroup = groupconfig;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
147 break;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
148 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
149 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
150
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
151 if admingroup then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
152 params.admin = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
153 basedn = params.groups.basedn,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
154 namefield = params.groups.memberfield,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
155 filter = group_namefield .. '=' .. admingroup[group_namefield],
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
156 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
157 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
158 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
159 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
160
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
161 return ok, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
162 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
163
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
164 -- what to do if connection isn't available?
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
165 local function connect()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
166 return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
167 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
168
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
169 -- this is abstracted so we can maintain persistent connections at a later time
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
170 function _M.getconnection()
3195
66b3085ecc49 mod_lib_ldap: assert() connection for hopefully better error reporting (thanks adac)
Matthew Wild <mwild1@gmail.com>
parents: 877
diff changeset
171 return assert(connect());
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
172 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
173
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
174 function _M.getparams()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
175 return params;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
176 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
177
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
178 -- XXX consider renaming this...it doesn't bind the current connection
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
179 function _M.bind(username, password)
877
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
180 local conn = _M.getconnection();
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
181 local filter = format('%s=%s', params.user.usernamefield, username);
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
182
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
183 if filter then
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
184 filter = _M.filter.combine_and(filter, params.user.filter);
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
185 end
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
186
cd2262969d2e Make sure we use the user filter for bind
Rob Hoelz <rob@hoelz.ro>
parents: 871
diff changeset
187 local who = _M.singlematch {
864
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
188 attrs = params.user.usernamefield,
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
189 base = params.user.basedn,
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
190 filter = filter,
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
191 };
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
192
870
13e645340767 Use singlematch to find user record in ldap.bind
Rob Hoelz <rob@hoelz.ro>
parents: 869
diff changeset
193 if who then
13e645340767 Use singlematch to find user record in ldap.bind
Rob Hoelz <rob@hoelz.ro>
parents: 869
diff changeset
194 who = who.dn;
13e645340767 Use singlematch to find user record in ldap.bind
Rob Hoelz <rob@hoelz.ro>
parents: 869
diff changeset
195 module:log('debug', '_M.bind - who: %s', who);
871
e4a03e58f896 Log and return failure if user record not found in bind
Rob Hoelz <rob@hoelz.ro>
parents: 870
diff changeset
196 else
e4a03e58f896 Log and return failure if user record not found in bind
Rob Hoelz <rob@hoelz.ro>
parents: 870
diff changeset
197 module:log('debug', '_M.bind - no DN found for username = %s', username);
e4a03e58f896 Log and return failure if user record not found in bind
Rob Hoelz <rob@hoelz.ro>
parents: 870
diff changeset
198 return nil, format('no DN found for username = %s', username);
864
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
199 end
16b007c7706c We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents: 809
diff changeset
200
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
201 local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
202
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
203 if conn then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
204 conn:close();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
205 return true;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
206 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
207
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
208 return conn, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
209 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
210
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
211 function _M.singlematch(query)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
212 local ld = _M.getconnection();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
213
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
214 query.sizelimit = 1;
868
0017518c94a0 Change singlematch to search subtrees
Rob Hoelz <rob@hoelz.ro>
parents: 864
diff changeset
215 query.scope = 'subtree';
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
216
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
217 for dn, attribs in ld:search(query) do
869
ec791fd8ce87 Return DN in the attributes table with singlematch
Rob Hoelz <rob@hoelz.ro>
parents: 868
diff changeset
218 attribs.dn = dn;
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
219 return attribs;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
220 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
221 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
222
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
223 _M.filter = {};
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
224
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
225 function _M.filter.combine_and(...)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
226 local parts = { '(&' };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
227
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
228 local arg = { ... };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
229
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
230 for _, filter in ipairs(arg) do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
231 if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
232 filter = '(' .. filter .. ')'
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
233 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
234 parts[#parts + 1] = filter;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
235 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
236
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
237 parts[#parts + 1] = ')';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
238
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
239 return tconcat(parts, '');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
240 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
241
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
242 do
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
243 local ok, err;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
244
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
245 prosody.unlock_globals();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
246 ok, ldap = pcall(require, 'lualdap');
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
247 prosody.lock_globals();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
248 if not ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
249 module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
250 module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap");
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
251 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
252 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
253
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
254 if not params then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
255 module:log("error", "LDAP configuration required to use the LDAP storage module");
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
256 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
257 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
258
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
259 ok, err = validate_config();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
260
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
261 if not ok then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
262 module:log("error", "LDAP configuration is invalid: %s", tostring(err));
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
263 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
264 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
265 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
266
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
267 return _M;