diff mod_auth_ldap/mod_auth_ldap.lua @ 2056:e16593e7d482

mod_auth_ldap: Add support for having admin status indicated in LDAP
author Kim Alvefur <zash@zash.se>
date Tue, 01 Mar 2016 10:40:25 +0100
parents 6d7699eda594
children 41565a743cad
line wrap: on
line diff
--- a/mod_auth_ldap/mod_auth_ldap.lua	Tue Mar 01 10:31:10 2016 +0100
+++ b/mod_auth_ldap/mod_auth_ldap.lua	Tue Mar 01 10:40:25 2016 +0100
@@ -1,5 +1,6 @@
 -- mod_auth_ldap
 
+local jid_split = require "util.jid".split;
 local new_sasl = require "util.sasl".new;
 local lualdap = require "lualdap";
 local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
@@ -13,6 +14,7 @@
 local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1);
 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
 local ldap_mode = module:get_option_string("ldap_mode", "bind");
+local ldap_admins = module:get_option_string("ldap_admin_filter");
 local host = ldap_filter_escape(module:get_option_string("realm", module.host));
 
 -- Initiate connection
@@ -122,4 +124,19 @@
 	module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
 end
 
+if ldap_admins then
+	function provider.is_admin(jid)
+		local username = jid_split(jid);
+		return ldap_do("search", 2, {
+			base = ldap_base;
+			scope = ldap_scope;
+			sizelimit = 1;
+			filter = ldap_admins:gsub("%$(%a+)", {
+				user = ldap_filter_escape(username);
+				host = host;
+			});
+		});
+	end
+end
+
 module:provides("auth", provider);