Mercurial > prosody-modules
annotate mod_lib_ldap/ldap.lib.lua @ 869:ec791fd8ce87
Return DN in the attributes table with singlematch
author | Rob Hoelz <rob@hoelz.ro> |
---|---|
date | Mon, 10 Dec 2012 22:14:28 +0100 |
parents | 0017518c94a0 |
children | 13e645340767 |
rev | line source |
---|---|
809 | 1 -- vim:sts=4 sw=4 |
2 | |
3 -- Prosody IM | |
4 -- Copyright (C) 2008-2010 Matthew Wild | |
5 -- Copyright (C) 2008-2010 Waqas Hussain | |
6 -- Copyright (C) 2012 Rob Hoelz | |
7 -- | |
8 -- This project is MIT/X11 licensed. Please see the | |
9 -- COPYING file in the source package for more information. | |
10 -- | |
11 | |
12 local ldap; | |
13 local connection; | |
14 local params = module:get_option("ldap"); | |
15 local format = string.format; | |
16 local tconcat = table.concat; | |
17 | |
18 local _M = {}; | |
19 | |
20 local config_params = { | |
21 hostname = 'string', | |
22 user = { | |
23 basedn = 'string', | |
24 namefield = 'string', | |
25 filter = 'string', | |
26 usernamefield = 'string', | |
27 }, | |
28 groups = { | |
29 basedn = 'string', | |
30 namefield = 'string', | |
31 memberfield = 'string', | |
32 | |
33 _member = { | |
34 name = 'string', | |
35 admin = 'boolean?', | |
36 }, | |
37 }, | |
38 admin = { | |
39 _optional = true, | |
40 basedn = 'string', | |
41 namefield = 'string', | |
42 filter = 'string', | |
43 } | |
44 } | |
45 | |
46 local function run_validation(params, config, prefix) | |
47 prefix = prefix or ''; | |
48 | |
49 -- verify that every required member of config is present in params | |
50 for k, v in pairs(config) do | |
51 if type(k) == 'string' and k:sub(1, 1) ~= '_' then | |
52 local is_optional; | |
53 if type(v) == 'table' then | |
54 is_optional = v._optional; | |
55 else | |
56 is_optional = v:sub(-1) == '?'; | |
57 end | |
58 | |
59 if not is_optional and params[k] == nil then | |
60 return nil, prefix .. k .. ' is required'; | |
61 end | |
62 end | |
63 end | |
64 | |
65 for k, v in pairs(params) do | |
66 local expected_type = config[k]; | |
67 | |
68 local ok, err = true; | |
69 | |
70 if type(k) == 'string' then | |
71 -- verify that this key is present in config | |
72 if k:sub(1, 1) == '_' or expected_type == nil then | |
73 return nil, 'invalid parameter ' .. prefix .. k; | |
74 end | |
75 | |
76 -- type validation | |
77 if type(expected_type) == 'string' then | |
78 if expected_type:sub(-1) == '?' then | |
79 expected_type = expected_type:sub(1, -2); | |
80 end | |
81 | |
82 if type(v) ~= expected_type then | |
83 return nil, 'invalid type for parameter ' .. prefix .. k; | |
84 end | |
85 else -- it's a table (or had better be) | |
86 if type(v) ~= 'table' then | |
87 return nil, 'invalid type for parameter ' .. prefix .. k; | |
88 end | |
89 | |
90 -- recurse into child | |
91 ok, err = run_validation(v, expected_type, prefix .. k .. '.'); | |
92 end | |
93 else -- it's an integer (or had better be) | |
94 if not config._member then | |
95 return nil, 'invalid parameter ' .. prefix .. tostring(k); | |
96 end | |
97 ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.'); | |
98 end | |
99 | |
100 if not ok then | |
101 return ok, err; | |
102 end | |
103 end | |
104 | |
105 return true; | |
106 end | |
107 | |
108 local function validate_config() | |
109 if true then | |
110 return true; -- XXX for now | |
111 end | |
112 | |
113 -- this is almost too clever (I mean that in a bad | |
114 -- maintainability sort of way) | |
115 -- | |
116 -- basically this allows a free pass for a key in group members | |
117 -- equal to params.groups.namefield | |
118 setmetatable(config_params.groups._member, { | |
119 __index = function(_, k) | |
120 if k == params.groups.namefield then | |
121 return 'string'; | |
122 end | |
123 end | |
124 }); | |
125 | |
126 local ok, err = run_validation(params, config_params); | |
127 | |
128 setmetatable(config_params.groups._member, nil); | |
129 | |
130 if ok then | |
131 -- a little extra validation that doesn't fit into | |
132 -- my recursive checker | |
133 local group_namefield = params.groups.namefield; | |
134 for i, group in ipairs(params.groups) do | |
135 if not group[group_namefield] then | |
136 return nil, format('groups.%d.%s is required', i, group_namefield); | |
137 end | |
138 end | |
139 | |
140 -- fill in params.admin if you can | |
141 if not params.admin and params.groups then | |
142 local admingroup; | |
143 | |
144 for _, groupconfig in ipairs(params.groups) do | |
145 if groupconfig.admin then | |
146 admingroup = groupconfig; | |
147 break; | |
148 end | |
149 end | |
150 | |
151 if admingroup then | |
152 params.admin = { | |
153 basedn = params.groups.basedn, | |
154 namefield = params.groups.memberfield, | |
155 filter = group_namefield .. '=' .. admingroup[group_namefield], | |
156 }; | |
157 end | |
158 end | |
159 end | |
160 | |
161 return ok, err; | |
162 end | |
163 | |
164 -- what to do if connection isn't available? | |
165 local function connect() | |
166 return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls); | |
167 end | |
168 | |
169 -- this is abstracted so we can maintain persistent connections at a later time | |
170 function _M.getconnection() | |
171 return connect(); | |
172 end | |
173 | |
174 function _M.getparams() | |
175 return params; | |
176 end | |
177 | |
178 -- XXX consider renaming this...it doesn't bind the current connection | |
179 function _M.bind(username, password) | |
864
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
180 local conn = _M.getconnection(); |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
181 local filter = format('%s=%s', params.user.usernamefield, username); |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
182 local search_attrs = { |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
183 attrs = params.user.usernamefield, |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
184 base = params.user.basedn, |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
185 scope = 'subtree', |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
186 sizelimit = 1, |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
187 filter = filter, |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
188 }; |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
189 local who; |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
190 |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
191 for dn in conn:search(search_attrs) do |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
192 module:log('debug', '_M.bind - who: %s', dn); |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
193 who = dn; |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
194 end |
16b007c7706c
We must search for dn before trying to bind
Guilhem LETTRON <guilhem.lettron@gmail.com>
parents:
809
diff
changeset
|
195 |
809 | 196 local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls); |
197 | |
198 if conn then | |
199 conn:close(); | |
200 return true; | |
201 end | |
202 | |
203 return conn, err; | |
204 end | |
205 | |
206 function _M.singlematch(query) | |
207 local ld = _M.getconnection(); | |
208 | |
209 query.sizelimit = 1; | |
868
0017518c94a0
Change singlematch to search subtrees
Rob Hoelz <rob@hoelz.ro>
parents:
864
diff
changeset
|
210 query.scope = 'subtree'; |
809 | 211 |
212 for dn, attribs in ld:search(query) do | |
869
ec791fd8ce87
Return DN in the attributes table with singlematch
Rob Hoelz <rob@hoelz.ro>
parents:
868
diff
changeset
|
213 attribs.dn = dn; |
809 | 214 return attribs; |
215 end | |
216 end | |
217 | |
218 _M.filter = {}; | |
219 | |
220 function _M.filter.combine_and(...) | |
221 local parts = { '(&' }; | |
222 | |
223 local arg = { ... }; | |
224 | |
225 for _, filter in ipairs(arg) do | |
226 if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then | |
227 filter = '(' .. filter .. ')' | |
228 end | |
229 parts[#parts + 1] = filter; | |
230 end | |
231 | |
232 parts[#parts + 1] = ')'; | |
233 | |
234 return tconcat(parts, ''); | |
235 end | |
236 | |
237 do | |
238 local ok, err; | |
239 | |
240 prosody.unlock_globals(); | |
241 ok, ldap = pcall(require, 'lualdap'); | |
242 prosody.lock_globals(); | |
243 if not ok then | |
244 module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap); | |
245 module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap"); | |
246 return; | |
247 end | |
248 | |
249 if not params then | |
250 module:log("error", "LDAP configuration required to use the LDAP storage module"); | |
251 return; | |
252 end | |
253 | |
254 ok, err = validate_config(); | |
255 | |
256 if not ok then | |
257 module:log("error", "LDAP configuration is invalid: %s", tostring(err)); | |
258 return; | |
259 end | |
260 end | |
261 | |
262 return _M; |