Software / code / prosody-modules
Changeset
1190:c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 09 Sep 2013 15:46:51 +0200 |
| parents | 1189:1630c6ed3814 |
| children | 1191:1818a7f08580 |
| files | mod_auth_ldap/mod_auth_ldap.lua |
| diffstat | 1 files changed, 25 insertions(+), 21 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_auth_ldap/mod_auth_ldap.lua Sat Sep 07 14:56:36 2013 +0200 +++ b/mod_auth_ldap/mod_auth_ldap.lua Mon Sep 09 15:46:51 2013 +0200 @@ -7,47 +7,51 @@ local ldap_password = module:get_option_string("ldap_password", ""); local ldap_tls = module:get_option_boolean("ldap_tls"); local ldap_scope = module:get_option_string("ldap_scope", "onelevel"); +local ldap_filter = module:get_option_string("ldap_filter", "(uid=%s)"); local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); local lualdap = require "lualdap"; local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); module.unload = function() ld:close(); end -function do_query(query) - for dn, attribs in ld:search(query) do - return true; -- found a result - end +local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end + +local function get_user(username) + module:log("debug", "get_user(%q)", username); + return ld:search({ + base = ldap_base; + scope = ldap_scope; + filter = ldap_filter:format(ldap_filter_escape(username)); + })(); end local provider = {}; -local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end +function provider.get_password(username) + local dn, attr = get_user(username); + if dn and attr then + return attr.userPassword; + end +end + function provider.test_password(username, password) - return do_query({ - base = ldap_base; - scope = ldap_scope; - filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))"; - }); + return provider.get_password(username) == password; end function provider.user_exists(username) - return do_query({ - base = ldap_base; - scope = ldap_scope; - filter = "(uid="..ldap_filter_escape(username)..")"; - }); + return not not get_user(username); end -function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end function provider.get_sasl_handler() - local testpass_authentication_profile = { - plain_test = function(sasl, username, password, realm) - return provider.test_password(username, password), true; + return new_sasl(module.host, { + plain = function(sasl, username) + local password = provider.get_password(username); + if not password then return "", nil; end + return password, true; end - }; - return new_sasl(module.host, testpass_authentication_profile); + }); end module:provides("auth", provider);
