Annotate

mod_auth_ldap/mod_auth_ldap.lua @ 1273:1b543060f31e

mod_auth_ldap: Cleanup, reorder and some comments
author Kim Alvefur <zash@zash.se>
date Wed, 15 Jan 2014 14:35:27 +0100
parent 1221:3e5f8e844325
child 1274:4b15437d6c56
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1273
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
1 -- mod_auth_ldap
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
2
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
3 local new_sasl = require "util.sasl".new;
1273
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
4 local lualdap = require "lualdap";
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
5
1273
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
6 -- Config options
1162
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
7 local ldap_server = module:get_option_string("ldap_server", "localhost");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
8 local ldap_rootdn = module:get_option_string("ldap_rootdn", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
9 local ldap_password = module:get_option_string("ldap_password", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
10 local ldap_tls = module:get_option_boolean("ldap_tls");
1163
52bee1247014 mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents: 1162
diff changeset
11 local ldap_scope = module:get_option_string("ldap_scope", "onelevel");
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
12 local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)");
1162
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
13 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
14
1273
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
15 -- Initiate connection
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
16 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
17 module.unload = function() ld:close(); end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
18
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
19 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
20
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
21 local function get_user(username)
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
22 module:log("debug", "get_user(%q)", username);
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
23 return ld:search({
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
24 base = ldap_base;
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
25 scope = ldap_scope;
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
26 filter = ldap_filter:format(ldap_filter_escape(username));
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
27 })();
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
28 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
29
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 342
diff changeset
30 local provider = {};
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
31
1273
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
32 function provider.create_user(username, password)
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
33 return nil, "Account creation not available with LDAP.";
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
34 end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
35
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
36 function provider.user_exists(username)
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
37 return not not get_user(username);
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
38 end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
39
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
40 function provider.set_password(username, password)
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
41 local dn, attr = get_user(username);
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
42 if not dn then return nil, attr end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
43 if attr.userPassword == password then return true end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
44 return ld:modify(dn, { '=', userPassword = password })();
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents: 1221
diff changeset
45 end
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
46 function provider.get_password(username)
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
47 local dn, attr = get_user(username);
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
48 if dn and attr then
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
49 return attr.userPassword;
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
50 end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
51 end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
52
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
53 function provider.test_password(username, password)
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
54 return provider.get_password(username) == password;
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
55 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
56
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
57 function provider.get_sasl_handler()
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
58 return new_sasl(module.host, {
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
59 plain = function(sasl, username)
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
60 local password = provider.get_password(username);
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
61 if not password then return "", nil; end
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
62 return password, true;
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
63 end
1190
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents: 1163
diff changeset
64 });
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
65 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
66
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 342
diff changeset
67 module:provides("auth", provider);