Annotate

mod_auth_ldap/mod_auth_ldap.lua @ 1188:5eaecb7f680d

mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
author Thijs Alkemade <me@thijsalkema.de>
date Fri, 06 Sep 2013 13:07:57 +0200
parent 1163:52bee1247014
child 1190:c99d8b666eb4
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
1
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
2 local new_sasl = require "util.sasl".new;
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
3 local log = require "util.logger".init("auth_ldap");
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
4
1162
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
5 local ldap_server = module:get_option_string("ldap_server", "localhost");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
6 local ldap_rootdn = module:get_option_string("ldap_rootdn", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
7 local ldap_password = module:get_option_string("ldap_password", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
8 local ldap_tls = module:get_option_boolean("ldap_tls");
1163
52bee1247014 mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents: 1162
diff changeset
9 local ldap_scope = module:get_option_string("ldap_scope", "onelevel");
1162
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents: 902
diff changeset
10 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
11
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
12 local lualdap = require "lualdap";
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
13 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
14 module.unload = function() ld:close(); end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
15
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
16 function do_query(query)
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
17 for dn, attribs in ld:search(query) do
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
18 return true; -- found a result
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
19 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
20 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
21
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 342
diff changeset
22 local provider = {};
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
23
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
24 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
25 function provider.test_password(username, password)
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
26 return do_query({
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
27 base = ldap_base;
1163
52bee1247014 mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents: 1162
diff changeset
28 scope = ldap_scope;
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
29 filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))";
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
30 });
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
31 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
32 function provider.user_exists(username)
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
33 return do_query({
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
34 base = ldap_base;
1163
52bee1247014 mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents: 1162
diff changeset
35 scope = ldap_scope;
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
36 filter = "(uid="..ldap_filter_escape(username)..")";
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
37 });
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
38 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
39
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
40 function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
41 function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
42 function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
43
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
44 function provider.get_sasl_handler()
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
45 local testpass_authentication_profile = {
305
4c3abf1a9b5a mod_auth_*, mod_saslauth_muc: Update SASL callbacks to take SASL handler as first argument.
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
46 plain_test = function(sasl, username, password, realm)
902
490cb9161c81 mod_auth_{external,internal_yubikey,ldap,ldap2,sql}: No need to nodeprep in SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
47 return provider.test_password(username, password), true;
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
48 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
49 };
342
8e9e5c7d97ff mod_auth_*: Get rid of undocumented and broken 'sasl_realm' config option.
Waqas Hussain <waqas20@gmail.com>
parents: 305
diff changeset
50 return new_sasl(module.host, testpass_authentication_profile);
293
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
51 end
d76f47a608ab mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents: 286
diff changeset
52
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 342
diff changeset
53 module:provides("auth", provider);