Mercurial > prosody-modules
annotate mod_auth_ldap/mod_auth_ldap.lua @ 5424:b45d9a81b3da
mod_http_oauth2: Revert role selector, going to try something else
Back out f2c7bb3af600
Allowing only a single role to be encoded into the grant takes away the
possibility of having multiple roles in the grant, one of which is
selected when issuing an access token. It also takes away the ability to
have zero roles granted, which could be useful e.g. when you only need
OIDC scopes.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 07 May 2023 19:40:57 +0200 |
parents | f2b29183ef08 |
children |
rev | line source |
---|---|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
1 -- mod_auth_ldap |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
2 |
2056
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
3 local jid_split = require "util.jid".split; |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
4 local new_sasl = require "util.sasl".new; |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
5 local lualdap = require "lualdap"; |
2774
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
6 |
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
7 local function ldap_filter_escape(s) |
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
8 return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); |
41565a743cad
mod_auth_ldap: Split long line into many [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2056
diff
changeset
|
9 end |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
10 |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
11 -- Config options |
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
12 local ldap_server = module:get_option_string("ldap_server", "localhost"); |
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
13 local ldap_rootdn = module:get_option_string("ldap_rootdn", ""); |
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
14 local ldap_password = module:get_option_string("ldap_password", ""); |
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
15 local ldap_tls = module:get_option_boolean("ldap_tls"); |
1987
6d7699eda594
mod_auth_ldap: Change default of ldap_scope from onelevel to subtree which seems to match many deployments
Kim Alvefur <zash@zash.se>
parents:
1611
diff
changeset
|
16 local ldap_scope = module:get_option_string("ldap_scope", "subtree"); |
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
17 local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1); |
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
18 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); |
1479
9a0a0cfd3710
mod_auth_ldap: Change default for ldap_mode to "bind", everyone seems to be using that
Kim Alvefur <zash@zash.se>
parents:
1478
diff
changeset
|
19 local ldap_mode = module:get_option_string("ldap_mode", "bind"); |
3327
3af2da030397
mod_auth_ldap: Add compat with the previously mistaken documentation (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3188
diff
changeset
|
20 local ldap_admins = module:get_option_string("ldap_admin_filter", |
3af2da030397
mod_auth_ldap: Add compat with the previously mistaken documentation (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3188
diff
changeset
|
21 module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation |
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
22 local host = ldap_filter_escape(module:get_option_string("realm", module.host)); |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
23 |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
24 -- Initiate connection |
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
25 local ld = nil; |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
26 module.unload = function() if ld then pcall(ld, ld.close); end end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
27 |
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
28 function ldap_do_once(method, ...) |
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
29 if ld == nil then |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
30 local err; |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
31 ld, err = lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls); |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
32 if not ld then return nil, err, "reconnect"; end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
33 end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
34 |
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
35 -- luacheck: ignore 411/success |
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
36 local success, iterator, invariant, initial = pcall(ld[method], ld, ...); |
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
37 if not success then ld = nil; return nil, iterator, "search"; end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
38 |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
39 local success, dn, attr = pcall(iterator, invariant, initial); |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
40 if not success then ld = nil; return success, dn, "iter"; end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
41 |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
42 return dn, attr, "return"; |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
43 end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
44 |
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
45 function ldap_do(method, retry_count, ...) |
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
46 local dn, attr, where; |
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
47 for _=1,1+retry_count do |
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
48 dn, attr, where = ldap_do_once(method, ...); |
1609
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
49 if dn or not(attr) then break; end -- nothing or something found |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
50 module:log("warn", "LDAP: %s %s (in %s)", tostring(dn), tostring(attr), where); |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
51 -- otherwise retry |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
52 end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
53 if not dn and attr then |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
54 module:log("error", "LDAP: %s", tostring(attr)); |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
55 end |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
56 return dn, attr; |
5f139770061e
mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error.
Waqas Hussain <waqas20@gmail.com>
parents:
1479
diff
changeset
|
57 end |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
58 |
2851
4b10636bd743
"Export" get_user from mod_auth_ldap
Jonas Wielicki <jonas@wielicki.name>
parents:
2775
diff
changeset
|
59 function get_user(username) |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
60 module:log("debug", "get_user(%q)", username); |
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
61 return ldap_do("search", 2, { |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
62 base = ldap_base; |
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
63 scope = ldap_scope; |
1375
90bde50b3915
mod_auth_ldap: Limit results in user lookup query to 1
Kim Alvefur <zash@zash.se>
parents:
1374
diff
changeset
|
64 sizelimit = 1; |
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
65 filter = ldap_filter:gsub("%$(%a+)", { |
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
66 user = ldap_filter_escape(username); |
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
67 host = host; |
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
68 }); |
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
69 }); |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
70 end |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
71 |
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
72 local provider = {}; |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
73 |
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
74 function provider.create_user(username, password) -- luacheck: ignore 212 |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
75 return nil, "Account creation not available with LDAP."; |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
76 end |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
77 |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
78 function provider.user_exists(username) |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
79 return not not get_user(username); |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
80 end |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
81 |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
82 function provider.set_password(username, password) |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
83 local dn, attr = get_user(username); |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
84 if not dn then return nil, attr end |
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
85 if attr.userPassword == password then return true end |
1611
770236ea9678
mod_auth_ldap: Fix use of ldap_search, and generalize it to support password modification as well.
Waqas Hussain <waqas20@gmail.com>
parents:
1610
diff
changeset
|
86 return ldap_do("modify", 2, dn, { '=', userPassword = password }); |
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
87 end |
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
88 |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
89 if ldap_mode == "getpasswd" then |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
90 function provider.get_password(username) |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
91 local dn, attr = get_user(username); |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
92 if dn and attr then |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
93 return attr.userPassword; |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
94 end |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
95 end |
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
96 |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
97 function provider.test_password(username, password) |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
98 return provider.get_password(username) == password; |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
99 end |
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
100 |
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
101 function provider.get_sasl_handler() |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
102 return new_sasl(module.host, { |
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
103 plain = function(sasl, username) -- luacheck: ignore 212/sasl |
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
104 local password = provider.get_password(username); |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
105 if not password then return "", nil; end |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
106 return password, true; |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
107 end |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
108 }); |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
109 end |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
110 elseif ldap_mode == "bind" then |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
111 local function test_password(userdn, password) |
3565
7344513ee160
mod_auth_ldap: Log any error message from open_simple() when testing password
Kim Alvefur <zash@zash.se>
parents:
3327
diff
changeset
|
112 local ok, err = lualdap.open_simple(ldap_server, userdn, password, ldap_tls); |
7344513ee160
mod_auth_ldap: Log any error message from open_simple() when testing password
Kim Alvefur <zash@zash.se>
parents:
3327
diff
changeset
|
113 if not ok then |
3566
b50be75c8bef
mod_auth_ldap: Use module API for logging
Kim Alvefur <zash@zash.se>
parents:
3565
diff
changeset
|
114 module:log("debug", "ldap open_simple error: %s", err); |
3565
7344513ee160
mod_auth_ldap: Log any error message from open_simple() when testing password
Kim Alvefur <zash@zash.se>
parents:
3327
diff
changeset
|
115 end |
7344513ee160
mod_auth_ldap: Log any error message from open_simple() when testing password
Kim Alvefur <zash@zash.se>
parents:
3327
diff
changeset
|
116 return not not ok; |
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
117 end |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
118 |
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
119 function provider.test_password(username, password) |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
120 local dn = get_user(username); |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
121 if not dn then return end |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
122 return test_password(dn, password) |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
123 end |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
124 |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
125 function provider.get_sasl_handler() |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
126 return new_sasl(module.host, { |
2775
8407137c0a3b
mod_auth_ldap: Add annotations to ignore harmless warnings [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2774
diff
changeset
|
127 plain_test = function(sasl, username, password) -- luacheck: ignore 212/sasl |
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
128 return provider.test_password(username, password), true; |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
129 end |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
130 }); |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
131 end |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
132 else |
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
133 module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode)); |
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
134 end |
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
135 |
2056
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
136 if ldap_admins then |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
137 function provider.is_admin(jid) |
3869
f2b29183ef08
mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents:
3566
diff
changeset
|
138 local username, user_host = jid_split(jid); |
f2b29183ef08
mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents:
3566
diff
changeset
|
139 if user_host ~= module.host then |
f2b29183ef08
mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents:
3566
diff
changeset
|
140 return false; |
f2b29183ef08
mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents:
3566
diff
changeset
|
141 end |
2056
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
142 return ldap_do("search", 2, { |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
143 base = ldap_base; |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
144 scope = ldap_scope; |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
145 sizelimit = 1; |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
146 filter = ldap_admins:gsub("%$(%a+)", { |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
147 user = ldap_filter_escape(username); |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
148 host = host; |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
149 }); |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
150 }); |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
151 end |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
152 end |
e16593e7d482
mod_auth_ldap: Add support for having admin status indicated in LDAP
Kim Alvefur <zash@zash.se>
parents:
1987
diff
changeset
|
153 |
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
154 module:provides("auth", provider); |