|
809
|
1 -- vim:sts=4 sw=4
|
|
|
2
|
|
|
3 -- Prosody IM
|
|
|
4 -- Copyright (C) 2008-2010 Matthew Wild
|
|
|
5 -- Copyright (C) 2008-2010 Waqas Hussain
|
|
|
6 -- Copyright (C) 2012 Rob Hoelz
|
|
|
7 --
|
|
|
8 -- This project is MIT/X11 licensed. Please see the
|
|
|
9 -- COPYING file in the source package for more information.
|
|
|
10 --
|
|
|
11
|
|
|
12 local ldap;
|
|
|
13 local connection;
|
|
|
14 local params = module:get_option("ldap");
|
|
|
15 local format = string.format;
|
|
|
16 local tconcat = table.concat;
|
|
|
17
|
|
|
18 local _M = {};
|
|
|
19
|
|
|
20 local config_params = {
|
|
|
21 hostname = 'string',
|
|
|
22 user = {
|
|
|
23 basedn = 'string',
|
|
|
24 namefield = 'string',
|
|
|
25 filter = 'string',
|
|
|
26 usernamefield = 'string',
|
|
|
27 },
|
|
|
28 groups = {
|
|
|
29 basedn = 'string',
|
|
|
30 namefield = 'string',
|
|
|
31 memberfield = 'string',
|
|
|
32
|
|
|
33 _member = {
|
|
|
34 name = 'string',
|
|
|
35 admin = 'boolean?',
|
|
|
36 },
|
|
|
37 },
|
|
|
38 admin = {
|
|
|
39 _optional = true,
|
|
|
40 basedn = 'string',
|
|
|
41 namefield = 'string',
|
|
|
42 filter = 'string',
|
|
|
43 }
|
|
|
44 }
|
|
|
45
|
|
|
46 local function run_validation(params, config, prefix)
|
|
|
47 prefix = prefix or '';
|
|
|
48
|
|
|
49 -- verify that every required member of config is present in params
|
|
|
50 for k, v in pairs(config) do
|
|
|
51 if type(k) == 'string' and k:sub(1, 1) ~= '_' then
|
|
|
52 local is_optional;
|
|
|
53 if type(v) == 'table' then
|
|
|
54 is_optional = v._optional;
|
|
|
55 else
|
|
|
56 is_optional = v:sub(-1) == '?';
|
|
|
57 end
|
|
|
58
|
|
|
59 if not is_optional and params[k] == nil then
|
|
|
60 return nil, prefix .. k .. ' is required';
|
|
|
61 end
|
|
|
62 end
|
|
|
63 end
|
|
|
64
|
|
|
65 for k, v in pairs(params) do
|
|
|
66 local expected_type = config[k];
|
|
|
67
|
|
|
68 local ok, err = true;
|
|
|
69
|
|
|
70 if type(k) == 'string' then
|
|
|
71 -- verify that this key is present in config
|
|
|
72 if k:sub(1, 1) == '_' or expected_type == nil then
|
|
|
73 return nil, 'invalid parameter ' .. prefix .. k;
|
|
|
74 end
|
|
|
75
|
|
|
76 -- type validation
|
|
|
77 if type(expected_type) == 'string' then
|
|
|
78 if expected_type:sub(-1) == '?' then
|
|
|
79 expected_type = expected_type:sub(1, -2);
|
|
|
80 end
|
|
|
81
|
|
|
82 if type(v) ~= expected_type then
|
|
|
83 return nil, 'invalid type for parameter ' .. prefix .. k;
|
|
|
84 end
|
|
|
85 else -- it's a table (or had better be)
|
|
|
86 if type(v) ~= 'table' then
|
|
|
87 return nil, 'invalid type for parameter ' .. prefix .. k;
|
|
|
88 end
|
|
|
89
|
|
|
90 -- recurse into child
|
|
|
91 ok, err = run_validation(v, expected_type, prefix .. k .. '.');
|
|
|
92 end
|
|
|
93 else -- it's an integer (or had better be)
|
|
|
94 if not config._member then
|
|
|
95 return nil, 'invalid parameter ' .. prefix .. tostring(k);
|
|
|
96 end
|
|
|
97 ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.');
|
|
|
98 end
|
|
|
99
|
|
|
100 if not ok then
|
|
|
101 return ok, err;
|
|
|
102 end
|
|
|
103 end
|
|
|
104
|
|
|
105 return true;
|
|
|
106 end
|
|
|
107
|
|
|
108 local function validate_config()
|
|
|
109 if true then
|
|
|
110 return true; -- XXX for now
|
|
|
111 end
|
|
|
112
|
|
|
113 -- this is almost too clever (I mean that in a bad
|
|
|
114 -- maintainability sort of way)
|
|
|
115 --
|
|
|
116 -- basically this allows a free pass for a key in group members
|
|
|
117 -- equal to params.groups.namefield
|
|
|
118 setmetatable(config_params.groups._member, {
|
|
|
119 __index = function(_, k)
|
|
|
120 if k == params.groups.namefield then
|
|
|
121 return 'string';
|
|
|
122 end
|
|
|
123 end
|
|
|
124 });
|
|
|
125
|
|
|
126 local ok, err = run_validation(params, config_params);
|
|
|
127
|
|
|
128 setmetatable(config_params.groups._member, nil);
|
|
|
129
|
|
|
130 if ok then
|
|
|
131 -- a little extra validation that doesn't fit into
|
|
|
132 -- my recursive checker
|
|
|
133 local group_namefield = params.groups.namefield;
|
|
|
134 for i, group in ipairs(params.groups) do
|
|
|
135 if not group[group_namefield] then
|
|
|
136 return nil, format('groups.%d.%s is required', i, group_namefield);
|
|
|
137 end
|
|
|
138 end
|
|
|
139
|
|
|
140 -- fill in params.admin if you can
|
|
|
141 if not params.admin and params.groups then
|
|
|
142 local admingroup;
|
|
|
143
|
|
|
144 for _, groupconfig in ipairs(params.groups) do
|
|
|
145 if groupconfig.admin then
|
|
|
146 admingroup = groupconfig;
|
|
|
147 break;
|
|
|
148 end
|
|
|
149 end
|
|
|
150
|
|
|
151 if admingroup then
|
|
|
152 params.admin = {
|
|
|
153 basedn = params.groups.basedn,
|
|
|
154 namefield = params.groups.memberfield,
|
|
|
155 filter = group_namefield .. '=' .. admingroup[group_namefield],
|
|
|
156 };
|
|
|
157 end
|
|
|
158 end
|
|
|
159 end
|
|
|
160
|
|
|
161 return ok, err;
|
|
|
162 end
|
|
|
163
|
|
|
164 -- what to do if connection isn't available?
|
|
|
165 local function connect()
|
|
|
166 return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls);
|
|
|
167 end
|
|
|
168
|
|
|
169 -- this is abstracted so we can maintain persistent connections at a later time
|
|
|
170 function _M.getconnection()
|
|
|
171 return connect();
|
|
|
172 end
|
|
|
173
|
|
|
174 function _M.getparams()
|
|
|
175 return params;
|
|
|
176 end
|
|
|
177
|
|
|
178 -- XXX consider renaming this...it doesn't bind the current connection
|
|
|
179 function _M.bind(username, password)
|
|
|
180 local who = format('%s=%s,%s', params.user.usernamefield, username, params.user.basedn);
|
|
|
181 local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls);
|
|
|
182
|
|
|
183 if conn then
|
|
|
184 conn:close();
|
|
|
185 return true;
|
|
|
186 end
|
|
|
187
|
|
|
188 return conn, err;
|
|
|
189 end
|
|
|
190
|
|
|
191 function _M.singlematch(query)
|
|
|
192 local ld = _M.getconnection();
|
|
|
193
|
|
|
194 query.sizelimit = 1;
|
|
|
195 query.scope = 'onelevel';
|
|
|
196
|
|
|
197 for dn, attribs in ld:search(query) do
|
|
|
198 return attribs;
|
|
|
199 end
|
|
|
200 end
|
|
|
201
|
|
|
202 _M.filter = {};
|
|
|
203
|
|
|
204 function _M.filter.combine_and(...)
|
|
|
205 local parts = { '(&' };
|
|
|
206
|
|
|
207 local arg = { ... };
|
|
|
208
|
|
|
209 for _, filter in ipairs(arg) do
|
|
|
210 if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then
|
|
|
211 filter = '(' .. filter .. ')'
|
|
|
212 end
|
|
|
213 parts[#parts + 1] = filter;
|
|
|
214 end
|
|
|
215
|
|
|
216 parts[#parts + 1] = ')';
|
|
|
217
|
|
|
218 return tconcat(parts, '');
|
|
|
219 end
|
|
|
220
|
|
|
221 do
|
|
|
222 local ok, err;
|
|
|
223
|
|
|
224 prosody.unlock_globals();
|
|
|
225 ok, ldap = pcall(require, 'lualdap');
|
|
|
226 prosody.lock_globals();
|
|
|
227 if not ok then
|
|
|
228 module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap);
|
|
|
229 module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap");
|
|
|
230 return;
|
|
|
231 end
|
|
|
232
|
|
|
233 if not params then
|
|
|
234 module:log("error", "LDAP configuration required to use the LDAP storage module");
|
|
|
235 return;
|
|
|
236 end
|
|
|
237
|
|
|
238 ok, err = validate_config();
|
|
|
239
|
|
|
240 if not ok then
|
|
|
241 module:log("error", "LDAP configuration is invalid: %s", tostring(err));
|
|
|
242 return;
|
|
|
243 end
|
|
|
244 end
|
|
|
245
|
|
|
246 return _M;
|
