prosody-modules: mod_auth_ldap/mod_auth

comparison mod_auth_ldap/mod_auth_ldap.lua @ 1190:c99d8b666eb4

mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.

author	Kim Alvefur <zash@zash.se>
date	Mon, 09 Sep 2013 15:46:51 +0200
parents	52bee1247014
children	db4085433e5f

comparison

equal deleted inserted replaced

-:1630c6ed3814
+:c99d8b666eb4
 local ldap_server = module:get_option_string("ldap_server", "localhost");
 local ldap_rootdn = module:get_option_string("ldap_rootdn", "");
 local ldap_password = module:get_option_string("ldap_password", "");
 local ldap_tls = module:get_option_boolean("ldap_tls");
 local ldap_scope = module:get_option_string("ldap_scope", "onelevel");
+local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)");
 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
 local lualdap = require "lualdap";
 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
 module.unload = function() ld:close(); end
-function do_query(query)
+local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
-	for dn, attribs in ld:search(query) do
-		return true; -- found a result
+local function get_user(username)
-	end
+	module:log("debug", "get_user(%q)", username);
+	return ld:search({
+		base = ldap_base;
+		scope = ldap_scope;
+		filter = ldap_filter:format(ldap_filter_escape(username));
+	})();
 end
 local provider = {};
-local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
+function provider.get_password(username)
+	local dn, attr = get_user(username);
+	if dn and attr then
+		return attr.userPassword;
+	end
+end
 function provider.test_password(username, password)
-	return do_query({
+	return provider.get_password(username) == password;
-		base = ldap_base;
-		scope = ldap_scope;
-		filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))";
-	});
 end
 function provider.user_exists(username)
-	return do_query({
+	return not not get_user(username);
-		base = ldap_base;
-		scope = ldap_scope;
-		filter = "(uid="..ldap_filter_escape(username)..")";
-	});
 end
-function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end
 function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end
 function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end
 function provider.get_sasl_handler()
-	local testpass_authentication_profile = {
+	return new_sasl(module.host, {
-		plain_test = function(sasl, username, password, realm)
+		plain = function(sasl, username)
-			return provider.test_password(username, password), true;
+			local password = provider.get_password(username);
+			if not password then return "", nil; end
+			return password, true;
 		end
-	};
+	});
-	return new_sasl(module.host, testpass_authentication_profile);
 end
 module:provides("auth", provider);

Mercurial > prosody-modules

comparison mod_auth_ldap/mod_auth_ldap.lua @ 1190:c99d8b666eb4