Software /
code /
prosody-modules
Comparison
mod_auth_ldap/mod_auth_ldap.lua @ 1190:c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 09 Sep 2013 15:46:51 +0200 |
parent | 1163:52bee1247014 |
child | 1192:db4085433e5f |
comparison
equal
deleted
inserted
replaced
1189:1630c6ed3814 | 1190:c99d8b666eb4 |
---|---|
5 local ldap_server = module:get_option_string("ldap_server", "localhost"); | 5 local ldap_server = module:get_option_string("ldap_server", "localhost"); |
6 local ldap_rootdn = module:get_option_string("ldap_rootdn", ""); | 6 local ldap_rootdn = module:get_option_string("ldap_rootdn", ""); |
7 local ldap_password = module:get_option_string("ldap_password", ""); | 7 local ldap_password = module:get_option_string("ldap_password", ""); |
8 local ldap_tls = module:get_option_boolean("ldap_tls"); | 8 local ldap_tls = module:get_option_boolean("ldap_tls"); |
9 local ldap_scope = module:get_option_string("ldap_scope", "onelevel"); | 9 local ldap_scope = module:get_option_string("ldap_scope", "onelevel"); |
10 local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)"); | |
10 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); | 11 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); |
11 | 12 |
12 local lualdap = require "lualdap"; | 13 local lualdap = require "lualdap"; |
13 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); | 14 local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); |
14 module.unload = function() ld:close(); end | 15 module.unload = function() ld:close(); end |
15 | 16 |
16 function do_query(query) | 17 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end |
17 for dn, attribs in ld:search(query) do | 18 |
18 return true; -- found a result | 19 local function get_user(username) |
19 end | 20 module:log("debug", "get_user(%q)", username); |
21 return ld:search({ | |
22 base = ldap_base; | |
23 scope = ldap_scope; | |
24 filter = ldap_filter:format(ldap_filter_escape(username)); | |
25 })(); | |
20 end | 26 end |
21 | 27 |
22 local provider = {}; | 28 local provider = {}; |
23 | 29 |
24 local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end | 30 function provider.get_password(username) |
31 local dn, attr = get_user(username); | |
32 if dn and attr then | |
33 return attr.userPassword; | |
34 end | |
35 end | |
36 | |
25 function provider.test_password(username, password) | 37 function provider.test_password(username, password) |
26 return do_query({ | 38 return provider.get_password(username) == password; |
27 base = ldap_base; | |
28 scope = ldap_scope; | |
29 filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))"; | |
30 }); | |
31 end | 39 end |
32 function provider.user_exists(username) | 40 function provider.user_exists(username) |
33 return do_query({ | 41 return not not get_user(username); |
34 base = ldap_base; | |
35 scope = ldap_scope; | |
36 filter = "(uid="..ldap_filter_escape(username)..")"; | |
37 }); | |
38 end | 42 end |
39 | 43 |
40 function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end | |
41 function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end | 44 function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end |
42 function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end | 45 function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end |
43 | 46 |
44 function provider.get_sasl_handler() | 47 function provider.get_sasl_handler() |
45 local testpass_authentication_profile = { | 48 return new_sasl(module.host, { |
46 plain_test = function(sasl, username, password, realm) | 49 plain = function(sasl, username) |
47 return provider.test_password(username, password), true; | 50 local password = provider.get_password(username); |
51 if not password then return "", nil; end | |
52 return password, true; | |
48 end | 53 end |
49 }; | 54 }); |
50 return new_sasl(module.host, testpass_authentication_profile); | |
51 end | 55 end |
52 | 56 |
53 module:provides("auth", provider); | 57 module:provides("auth", provider); |