view mod_auth_ldap/mod_auth_ldap.lua @ 342:8e9e5c7d97ff

mod_auth_*: Get rid of undocumented and broken 'sasl_realm' config option.
author Waqas Hussain <>
date Wed, 23 Feb 2011 01:36:46 +0500
parents 4c3abf1a9b5a
children 881ec9919144
line wrap: on
line source

local new_sasl = require "util.sasl".new;
local nodeprep = require "util.encodings".stringprep.nodeprep;
local log = require "util.logger".init("auth_ldap");

local ldap_server = module:get_option("ldap_server") or "localhost";
local ldap_rootdn = module:get_option("ldap_rootdn") or "";
local ldap_password = module:get_option("ldap_password") or "";
local ldap_tls = module:get_option("ldap_tls");
local ldap_base = assert(module:get_option("ldap_base"), "ldap_base is a required option for ldap");

local lualdap = require "lualdap";
local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
module.unload = function() ld:close(); end

function do_query(query)
	for dn, attribs in ld:search(query) do
		return true; -- found a result

local provider = { name = "ldap" };

local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
function provider.test_password(username, password)
	return do_query({
		base = ldap_base;
		filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))";
function provider.user_exists(username)
	return do_query({
		base = ldap_base;
		filter = "(uid="..ldap_filter_escape(username)..")";

function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end
function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end
function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end

function provider.get_sasl_handler()
	local testpass_authentication_profile = {
		plain_test = function(sasl, username, password, realm)
			local prepped_username = nodeprep(username);
			if not prepped_username then
				log("debug", "NODEprep failed on username: %s", username);
				return "", nil;
			return provider.test_password(prepped_username, password), true;
	return new_sasl(, testpass_authentication_profile);

module:add_item("auth-provider", provider);