# HG changeset patch # User Kim Alvefur # Date 1456825225 -3600 # Node ID e16593e7d48254668132592609fda16da5313cec # Parent 2c6d84fb82d90b96484b483a78bf1cfea693c77c mod_auth_ldap: Add support for having admin status indicated in LDAP diff -r 2c6d84fb82d9 -r e16593e7d482 mod_auth_ldap/README.markdown --- a/mod_auth_ldap/README.markdown Tue Mar 01 10:31:10 2016 +0100 +++ b/mod_auth_ldap/README.markdown Tue Mar 01 10:40:25 2016 +0100 @@ -40,6 +40,7 @@ ldap\_scope Search scope. other values: "base" and "onelevel" `"subtree"` ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false` ldap\_mode How passwords are validated. `"bind"` + ldap\_admins Search filter to match admins, works like ldap\_scope **Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like `~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS diff -r 2c6d84fb82d9 -r e16593e7d482 mod_auth_ldap/mod_auth_ldap.lua --- a/mod_auth_ldap/mod_auth_ldap.lua Tue Mar 01 10:31:10 2016 +0100 +++ b/mod_auth_ldap/mod_auth_ldap.lua Tue Mar 01 10:40:25 2016 +0100 @@ -1,5 +1,6 @@ -- mod_auth_ldap +local jid_split = require "util.jid".split; local new_sasl = require "util.sasl".new; local lualdap = require "lualdap"; local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end @@ -13,6 +14,7 @@ local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1); local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); local ldap_mode = module:get_option_string("ldap_mode", "bind"); +local ldap_admins = module:get_option_string("ldap_admin_filter"); local host = ldap_filter_escape(module:get_option_string("realm", module.host)); -- Initiate connection @@ -122,4 +124,19 @@ module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode)); end +if ldap_admins then + function provider.is_admin(jid) + local username = jid_split(jid); + return ldap_do("search", 2, { + base = ldap_base; + scope = ldap_scope; + sizelimit = 1; + filter = ldap_admins:gsub("%$(%a+)", { + user = ldap_filter_escape(username); + host = host; + }); + }); + end +end + module:provides("auth", provider);