prosody-modules
e79f9dec35c0
mod_auth_ldap2/mod_auth_ldap2.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_auth_ldap2/mod_auth_ldap2.lua @ 5810:e79f9dec35c0

mod_c2s_conn_throttle: Reduce log level from error->info Our general policy is that "error" should never be triggerable by remote entities, and that it is always about something that requires admin intervention. This satisfies neither condition. The "warn" level can be used for unexpected events/behaviour triggered by remote entities, and this could qualify. However I don't think failed auth attempts are unexpected enough. I selected "info" because it is what is also used for other notable session lifecycle events.
author Matthew Wild <mwild1@gmail.com>
date Thu, 07 Dec 2023 15:46:50 +0000
parent 3869:f2b29183ef08
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
1 -- vim:sts=4 sw=4
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
2
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
3 -- Prosody IM
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
4 -- Copyright (C) 2008-2010 Matthew Wild
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
5 -- Copyright (C) 2008-2010 Waqas Hussain
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
6 -- Copyright (C) 2012 Rob Hoelz
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
7 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
8 -- This project is MIT/X11 licensed. Please see the
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
9 -- COPYING file in the source package for more information.
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
10 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
11 -- http://code.google.com/p/prosody-modules/source/browse/mod_auth_ldap/mod_auth_ldap.lua
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
12 -- adapted to use common LDAP store
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
13
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
14 local ldap = module:require 'ldap';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
15 local new_sasl = require 'util.sasl'.new;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
16 local jsplit = require 'util.jid'.split;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
17
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
18 if not ldap then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
19 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
20 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
21
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 809
diff changeset
22 local provider = {}
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
23
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
24 function provider.test_password(username, password)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
25 return ldap.bind(username, password);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
26 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
27
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
28 function provider.user_exists(username)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
29 local params = ldap.getparams()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
30
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
31 local filter = ldap.filter.combine_and(params.user.filter, params.user.usernamefield .. '=' .. username);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
32
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
33 return ldap.singlematch {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
34 base = params.user.basedn,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
35 filter = filter,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
36 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
37 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
38
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
39 function provider.get_password(username)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
40 return nil, "Passwords unavailable for LDAP.";
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
41 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
42
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
43 function provider.set_password(username, password)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
44 return nil, "Passwords unavailable for LDAP.";
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
45 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
46
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
47 function provider.create_user(username, password)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
48 return nil, "Account creation/modification not available with LDAP.";
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
49 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
50
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
51 function provider.get_sasl_handler()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
52 local testpass_authentication_profile = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
53 plain_test = function(sasl, username, password, realm)
902
490cb9161c81 mod_auth_{external,internal_yubikey,ldap,ldap2,sql}: No need to nodeprep in SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents: 862
diff changeset
54 return provider.test_password(username, password), true;
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
55 end,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
56 mechanisms = { PLAIN = true },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
57 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
58 return new_sasl(module.host, testpass_authentication_profile);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
59 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
60
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
61 function provider.is_admin(jid)
3869
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
62 local username, userhost = jsplit(jid);
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
63 if userhost ~= module.host then
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
64 return false;
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
65 end
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
66 local admin_config = ldap.getparams().admin;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
67
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
68 if not admin_config then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
69 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
70 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
71
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
72 local ld = ldap:getconnection();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
73 local filter = ldap.filter.combine_and(admin_config.filter, admin_config.namefield .. '=' .. username);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
74
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
75 return ldap.singlematch {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
76 base = admin_config.basedn,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
77 filter = filter,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
78 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
79 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
80
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 809
diff changeset
81 module:provides("auth", provider);