Mercurial > prosody-modules
annotate mod_auth_ldap/mod_auth_ldap.lua @ 1268:854a3933cfcd
mod_muc_log_http: URL-encode room names. This allows special characters in room names to work. Ideally this escaping shouldn’t be done in the user visible content, but the module’s template system doesn’t currently allow that.
| author | Waqas Hussain <waqas20@gmail.com> |
|---|---|
| date | Sat, 04 Jan 2014 16:50:57 -0500 |
| parents | 3e5f8e844325 |
| children | 1b543060f31e |
| rev | line source |
|---|---|
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
1 |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
2 local new_sasl = require "util.sasl".new; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
3 local log = require "util.logger".init("auth_ldap"); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
4 |
|
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
5 local ldap_server = module:get_option_string("ldap_server", "localhost"); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
6 local ldap_rootdn = module:get_option_string("ldap_rootdn", ""); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
7 local ldap_password = module:get_option_string("ldap_password", ""); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
8 local ldap_tls = module:get_option_boolean("ldap_tls"); |
|
1163
52bee1247014
mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents:
1162
diff
changeset
|
9 local ldap_scope = module:get_option_string("ldap_scope", "onelevel"); |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
10 local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)"); |
|
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
11 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
12 |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
13 local lualdap = require "lualdap"; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
14 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
15 module.unload = function() ld:close(); end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
16 |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
17 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
18 |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
19 local function get_user(username) |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
20 module:log("debug", "get_user(%q)", username); |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
21 return ld:search({ |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
22 base = ldap_base; |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
23 scope = ldap_scope; |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
24 filter = ldap_filter:format(ldap_filter_escape(username)); |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
25 })(); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
26 end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
27 |
|
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
28 local provider = {}; |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
29 |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
30 function provider.get_password(username) |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
31 local dn, attr = get_user(username); |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
32 if dn and attr then |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
33 return attr.userPassword; |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
34 end |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
35 end |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
36 |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
37 function provider.test_password(username, password) |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
38 return provider.get_password(username) == password; |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
39 end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
40 function provider.user_exists(username) |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
41 return not not get_user(username); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
42 end |
|
1192
db4085433e5f
mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents:
1190
diff
changeset
|
43 function provider.set_password(username, password) |
|
db4085433e5f
mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents:
1190
diff
changeset
|
44 local dn, attr = get_user(username); |
|
db4085433e5f
mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents:
1190
diff
changeset
|
45 if not dn then return nil, attr end |
|
1221
3e5f8e844325
mod_auth_ldap: Fix set_password
Kim Alvefur <zash@zash.se>
parents:
1192
diff
changeset
|
46 if attr.userPassword == password then return true end |
|
3e5f8e844325
mod_auth_ldap: Fix set_password
Kim Alvefur <zash@zash.se>
parents:
1192
diff
changeset
|
47 return ld:modify(dn, { '=', userPassword = password })(); |
|
1192
db4085433e5f
mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents:
1190
diff
changeset
|
48 end |
|
db4085433e5f
mod_auth_ldap: Implement password change
Kim Alvefur <zash@zash.se>
parents:
1190
diff
changeset
|
49 function provider.create_user(username, password) return nil, "Account creation not available with LDAP."; end |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
50 |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
51 function provider.get_sasl_handler() |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
52 return new_sasl(module.host, { |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
53 plain = function(sasl, username) |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
54 local password = provider.get_password(username); |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
55 if not password then return "", nil; end |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
56 return password, true; |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
57 end |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
58 }); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
59 end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
60 |
|
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
61 module:provides("auth", provider); |