prosody-modules: mod_auth_ldap2/mod_auth

annotate mod_auth_ldap2/mod_auth_ldap2.lua @ 5401:c8d04ac200fc

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.

author	Kim Alvefur <zash@zash.se>
date	Tue, 02 May 2023 16:20:55 +0200
parents	f2b29183ef08
children

rev	line source
809 1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	1 -- vim:sts=4 sw=4
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	2
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	3 -- Prosody IM
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	4 -- Copyright (C) 2008-2010 Matthew Wild
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	5 -- Copyright (C) 2008-2010 Waqas Hussain
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	6 -- Copyright (C) 2012 Rob Hoelz
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	7 --
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	8 -- This project is MIT/X11 licensed. Please see the
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	9 -- COPYING file in the source package for more information.
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	10 --
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	11 -- http://code.google.com/p/prosody-modules/source/browse/mod_auth_ldap/mod_auth_ldap.lua
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	12 -- adapted to use common LDAP store
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	13
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	14 local ldap = module:require 'ldap';
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	15 local new_sasl = require 'util.sasl'.new;
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	16 local jsplit = require 'util.jid'.split;
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	17
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	18 if not ldap then
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	19 return;
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	20 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	21
814 881ec9919144 mod_auth_: Use module:provides(), and don't explicitly specify provider.name. Waqas Hussain <waqas20@gmail.com>* parents: 809 diff changeset	22 local provider = {}
809 1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	23
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	24 function provider.test_password(username, password)
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	25 return ldap.bind(username, password);
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	26 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	27
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	28 function provider.user_exists(username)
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	29 local params = ldap.getparams()
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	30
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	31 local filter = ldap.filter.combine_and(params.user.filter, params.user.usernamefield .. '=' .. username);
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	32
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	33 return ldap.singlematch {
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	34 base = params.user.basedn,
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	35 filter = filter,
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	36 };
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	37 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	38
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	39 function provider.get_password(username)
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	40 return nil, "Passwords unavailable for LDAP.";
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	41 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	42
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	43 function provider.set_password(username, password)
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	44 return nil, "Passwords unavailable for LDAP.";
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	45 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	46
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	47 function provider.create_user(username, password)
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	48 return nil, "Account creation/modification not available with LDAP.";
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	49 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	50
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	51 function provider.get_sasl_handler()
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	52 local testpass_authentication_profile = {
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	53 plain_test = function(sasl, username, password, realm)
902 490cb9161c81 mod_auth_{external,internal_yubikey,ldap,ldap2,sql}: No need to nodeprep in SASL handler. Waqas Hussain <waqas20@gmail.com> parents: 862 diff changeset	54 return provider.test_password(username, password), true;
809 1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	55 end,
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	56 mechanisms = { PLAIN = true },
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	57 };
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	58 return new_sasl(module.host, testpass_authentication_profile);
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	59 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	60
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	61 function provider.is_admin(jid)
3869 f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive Matthew Wild <mwild1@gmail.com> parents: 902 diff changeset	62 local username, userhost = jsplit(jid);
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive Matthew Wild <mwild1@gmail.com> parents: 902 diff changeset	63 if userhost ~= module.host then
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive Matthew Wild <mwild1@gmail.com> parents: 902 diff changeset	64 return false;
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive Matthew Wild <mwild1@gmail.com> parents: 902 diff changeset	65 end
809 1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	66 local admin_config = ldap.getparams().admin;
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	67
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	68 if not admin_config then
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	69 return;
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	70 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	71
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	72 local ld = ldap:getconnection();
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	73 local filter = ldap.filter.combine_and(admin_config.filter, admin_config.namefield .. '=' .. username);
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	74
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	75 return ldap.singlematch {
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	76 base = admin_config.basedn,
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	77 filter = filter,
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	78 };
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	79 end
1d51c5e38faa Add LDAP plugin suite rob@hoelz.ro parents: diff changeset	80
814 881ec9919144 mod_auth_: Use module:provides(), and don't explicitly specify provider.name. Waqas Hussain <waqas20@gmail.com>* parents: 809 diff changeset	81 module:provides("auth", provider);

Mercurial > prosody-modules

annotate mod_auth_ldap2/mod_auth_ldap2.lua @ 5401:c8d04ac200fc