Mercurial > prosody-modules
annotate mod_auth_ldap/mod_auth_ldap.lua @ 3503:882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
This deprecates the default "superuser" actor model and makes the
default equivalent to the previous "request.id".
A single actor and secret per node is supported because HTTP and
WebHooks don't normally include any authorization identity.
Allowing authentication bypass when no secret is given should be
relatively safe when the actor is unprivileged, as will be unless
explicitly configured otherwise.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 30 Mar 2019 21:16:13 +0100 |
| parents | 3af2da030397 |
| children | 7344513ee160 |
| rev | line source |
|---|---|
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
1 -- mod_auth_ldap |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
2 |
|
2056
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
3 local jid_split = require "util.jid".split; |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
4 local new_sasl = require "util.sasl".new; |
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
5 local lualdap = require "lualdap"; |
|
2774
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
6 |
|
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
7 local function ldap_filter_escape(s) |
|
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
8 return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); |
|
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
9 end |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
10 |
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
11 -- Config options |
|
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
12 local ldap_server = module:get_option_string("ldap_server", "localhost"); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
13 local ldap_rootdn = module:get_option_string("ldap_rootdn", ""); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
14 local ldap_password = module:get_option_string("ldap_password", ""); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
15 local ldap_tls = module:get_option_boolean("ldap_tls"); |
|
1987
6d7699eda594
mod_auth_ldap: Change default of ldap_scope from onelevel to subtree which seems to match many deployments
Kim Alvefur <zash@zash.se>
parents:
1611
diff
changeset
|
16 local ldap_scope = module:get_option_string("ldap_scope", "subtree"); |
|
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
17 local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1); |
|
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
18 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); |
|
1479
9a0a0cfd3710
mod_auth_ldap: Change default for ldap_mode to "bind", everyone seems to be using that
Kim Alvefur <zash@zash.se>
parents:
1478
diff
changeset
|
19 local ldap_mode = module:get_option_string("ldap_mode", "bind"); |
|
3327
3af2da030397
mod_auth_ldap: Add compat with the previously mistaken documentation (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3188
diff
changeset
|
20 local ldap_admins = module:get_option_string("ldap_admin_filter", |
|
3af2da030397
mod_auth_ldap: Add compat with the previously mistaken documentation (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3188
diff
changeset
|
21 module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation |
|
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
22 local host = ldap_filter_escape(module:get_option_string("realm", module.host)); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
23 |
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
24 -- Initiate connection |
|
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
25 local ld = nil; |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
26 module.unload = function() if ld then pcall(ld, ld.close); end end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
27 |
|
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
28 function ldap_do_once(method, ...) |
|
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
29 if ld == nil then |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
30 local err; |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
31 ld, err = lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls); |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
32 if not ld then return nil, err, "reconnect"; end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
33 end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
34 |
|
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
35 -- luacheck: ignore 411/success |
|
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
36 local success, iterator, invariant, initial = pcall(ld[method], ld, ...); |
|
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
37 if not success then ld = nil; return nil, iterator, "search"; end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
38 |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
39 local success, dn, attr = pcall(iterator, invariant, initial); |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
40 if not success then ld = nil; return success, dn, "iter"; end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
41 |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
42 return dn, attr, "return"; |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
43 end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
44 |
|
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
45 function ldap_do(method, retry_count, ...) |
|
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
46 local dn, attr, where; |
|
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
47 for _=1,1+retry_count do |
|
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
48 dn, attr, where = ldap_do_once(method, ...); |
|
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
49 if dn or not(attr) then break; end -- nothing or something found |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
50 module:log("warn", "LDAP: %s %s (in %s)", tostring(dn), tostring(attr), where); |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
51 -- otherwise retry |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
52 end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
53 if not dn and attr then |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
54 module:log("error", "LDAP: %s", tostring(attr)); |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
55 end |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
56 return dn, attr; |
|
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
57 end |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
58 |
|
2851
4b10636bd743
"Export" get_user from mod_auth_ldap
Jonas Wielicki <jonas@wielicki.name>
parents:
2775
diff
changeset
|
59 function get_user(username) |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
60 module:log("debug", "get_user(%q)", username); |
|
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
61 return ldap_do("search", 2, { |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
62 base = ldap_base; |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
63 scope = ldap_scope; |
|
1375
90bde50b3915
mod_auth_ldap: Limit results in user lookup query to 1
Kim Alvefur <zash@zash.se>
parents:
1374
diff
changeset
|
64 sizelimit = 1; |
|
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
65 filter = ldap_filter:gsub("%$(%a+)", { |
|
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
66 user = ldap_filter_escape(username); |
|
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
67 host = host; |
|
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
68 }); |
|
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
69 }); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
70 end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
71 |
|
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
72 local provider = {}; |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
73 |
|
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
74 function provider.create_user(username, password) -- luacheck: ignore 212 |
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
75 return nil, "Account creation not available with LDAP."; |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
76 end |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
77 |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
78 function provider.user_exists(username) |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
79 return not not get_user(username); |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
80 end |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
81 |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
82 function provider.set_password(username, password) |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
83 local dn, attr = get_user(username); |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
84 if not dn then return nil, attr end |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
85 if attr.userPassword == password then return true end |
|
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
86 return ldap_do("modify", 2, dn, { '=', userPassword = password }); |
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
87 end |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
88 |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
89 if ldap_mode == "getpasswd" then |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
90 function provider.get_password(username) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
91 local dn, attr = get_user(username); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
92 if dn and attr then |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
93 return attr.userPassword; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
94 end |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
95 end |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
96 |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
97 function provider.test_password(username, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
98 return provider.get_password(username) == password; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
99 end |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
100 |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
101 function provider.get_sasl_handler() |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
102 return new_sasl(module.host, { |
|
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
103 plain = function(sasl, username) -- luacheck: ignore 212/sasl |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
104 local password = provider.get_password(username); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
105 if not password then return "", nil; end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
106 return password, true; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
107 end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
108 }); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
109 end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
110 elseif ldap_mode == "bind" then |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
111 local function test_password(userdn, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
112 return not not lualdap.open_simple(ldap_server, userdn, password, ldap_tls); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
113 end |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
114 |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
115 function provider.test_password(username, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
116 local dn = get_user(username); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
117 if not dn then return end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
118 return test_password(dn, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
119 end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
120 |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
121 function provider.get_sasl_handler() |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
122 return new_sasl(module.host, { |
|
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
123 plain_test = function(sasl, username, password) -- luacheck: ignore 212/sasl |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
124 return provider.test_password(username, password), true; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
125 end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
126 }); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
127 end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
128 else |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
129 module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode)); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
130 end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
131 |
|
2056
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
132 if ldap_admins then |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
133 function provider.is_admin(jid) |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
134 local username = jid_split(jid); |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
135 return ldap_do("search", 2, { |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
136 base = ldap_base; |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
137 scope = ldap_scope; |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
138 sizelimit = 1; |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
139 filter = ldap_admins:gsub("%$(%a+)", { |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
140 user = ldap_filter_escape(username); |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
141 host = host; |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
142 }); |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
143 }); |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
144 end |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
145 end |
|
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
146 |
|
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
147 module:provides("auth", provider); |