Annotate

mod_auth_ldap/mod_auth_ldap.lua @ 252:8eae74a31acb

mod_seclabels: Prototype security labels plugin
author Matthew Wild <mwild1@gmail.com>
date Mon, 20 Sep 2010 21:10:49 +0100
parent 218:4a91047f9b5e
child 286:ca6199d73d68
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
191
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
1
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
2 local new_sasl = require "util.sasl".new;
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
3 local nodeprep = require "util.encodings".stringprep.nodeprep;
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
4 local log = require "util.logger".init("auth_ldap");
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
5
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
6 local ldap_server = module:get_option("ldap_server") or "localhost";
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
7 local ldap_rootdn = module:get_option("ldap_rootdn") or "";
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
8 local ldap_password = module:get_option("ldap_password") or "";
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
9 local ldap_tls = module:get_option("ldap_tls");
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
10 local ldap_base = assert(module:get_option("ldap_base"), "ldap_base is a required option for ldap");
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
11
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
12 local lualdap = require "lualdap";
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
13 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
14 module.unload = function() ld:close(); end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
15
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
16 function do_query(query)
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
17 for dn, attribs in ld:search(query) do
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
18 return true; -- found a result
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
19 end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
20 end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
21
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
22 local provider = { name = "ldap" };
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
23
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
24 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
25 function provider.test_password(username, password)
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
26 return do_query({
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
27 base = ldap_base;
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
28 filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))";
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
29 });
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
30 end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
31 function provider.user_exists(username)
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
32 return do_query({
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
33 base = ldap_base;
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
34 filter = "(uid="..ldap_filter_escape(username)..")";
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
35 });
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
36 end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
37
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
38 function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
39 function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
40 function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
41
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
42 function provider.get_sasl_handler()
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
43 local realm = module:get_option("sasl_realm") or module.host;
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
44 local testpass_authentication_profile = {
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
45 plain_test = function(username, password, realm)
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
46 local prepped_username = nodeprep(username);
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
47 if not prepped_username then
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
48 log("debug", "NODEprep failed on username: %s", username);
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
49 return "", nil;
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
50 end
218
4a91047f9b5e mod_auth_ldap: Update for new usermanager.test_password syntax
Matthew Wild <mwild1@gmail.com>
parents: 191
diff changeset
51 return provider.test_password(prepped_username, realm, password), true;
191
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
52 end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
53 };
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
54 return new_sasl(realm, testpass_authentication_profile);
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
55 end
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
56
fa7165dd82ee mod_auth_ldap: An auth plugin for authentication against LDAP.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
57 module:add_item("auth-provider", provider);