diff mod_auth_ldap/mod_auth_ldap.lua @ 1274:4b15437d6c56

mod_auth_ldap: Add support for binding
author Kim Alvefur <zash@zash.se>
date Wed, 15 Jan 2014 14:45:37 +0100
parents 1b543060f31e
children da2e593317d7
line wrap: on
line diff
--- a/mod_auth_ldap/mod_auth_ldap.lua	Wed Jan 15 14:35:27 2014 +0100
+++ b/mod_auth_ldap/mod_auth_ldap.lua	Wed Jan 15 14:45:37 2014 +0100
@@ -11,6 +11,7 @@
 local ldap_scope = module:get_option_string("ldap_scope", "onelevel");
 local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)");
 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
+local ldap_mode = module:get_option_string("ldap_mode", "getpasswd");
 
 -- Initiate connection
 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
@@ -43,25 +44,48 @@
 	if attr.userPassword == password then return true end
 	return ld:modify(dn, { '=', userPassword = password })();
 end
-function provider.get_password(username)
-	local dn, attr = get_user(username);
-	if dn and attr then
-		return attr.userPassword;
+
+if ldap_mode == "getpasswd" then
+	function provider.get_password(username)
+		local dn, attr = get_user(username);
+		if dn and attr then
+			return attr.userPassword;
+		end
 	end
-end
+
+	function provider.test_password(username, password)
+		return provider.get_password(username) == password;
+	end
 
-function provider.test_password(username, password)
-	return provider.get_password(username) == password;
-end
+	function provider.get_sasl_handler()
+		return new_sasl(module.host, {
+			plain = function(sasl, username)
+				local password = provider.get_password(username);
+				if not password then return "", nil; end
+				return password, true;
+			end
+		});
+	end
+elseif ldap_mode == "bind" then
+	local function test_password(userdn, password)
+		return not not lualdap.open_simple(ldap_server, userdn, password, ldap_tls);
+	end
 
-function provider.get_sasl_handler()
-	return new_sasl(module.host, {
-		plain = function(sasl, username)
-			local password = provider.get_password(username);
-			if not password then return "", nil; end
-			return password, true;
-		end
-	});
+	function provider.test_password(username, password)
+		local dn = get_user(username);
+		if not dn then return end
+		return test_password(dn, password)
+	end
+
+	function provider.get_sasl_handler()
+		return new_sasl(module.host, {
+			plain_test = function(sasl, username, password)
+				return provider.test_password(username, password), true;
+			end
+		});
+	end
+else
+	module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
 end
 
 module:provides("auth", provider);