mirror of
https://github.com/bjc/prosody.git
synced 2025-04-03 21:27:38 +03:00
mod_auth_ldap: Import from prosody-modules rev f52452911187
This commit is contained in:
Kim Alvefur
parent
7f60bc8f3e
commit
a0e91abfe3
1 changed files with 154 additions and 0 deletions
154
plugins/mod_auth_ldap.lua
Normal file
154
plugins/mod_auth_ldap.lua
Normal file
|
|
@ -0,0 +1,154 @@
|
|||
-- mod_auth_ldap
|
||||
|
||||
local jid_split = require "util.jid".split;
|
||||
local new_sasl = require "util.sasl".new;
|
||||
local lualdap = require "lualdap";
|
||||
|
||||
local function ldap_filter_escape(s)
|
||||
return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end));
|
||||
end
|
||||
|
||||
-- Config options
|
||||
local ldap_server = module:get_option_string("ldap_server", "localhost");
|
||||
local ldap_rootdn = module:get_option_string("ldap_rootdn", "");
|
||||
local ldap_password = module:get_option_string("ldap_password", "");
|
||||
local ldap_tls = module:get_option_boolean("ldap_tls");
|
||||
local ldap_scope = module:get_option_string("ldap_scope", "subtree");
|
||||
local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1);
|
||||
local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
|
||||
local ldap_mode = module:get_option_string("ldap_mode", "bind");
|
||||
local ldap_admins = module:get_option_string("ldap_admin_filter",
|
||||
module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation
|
||||
local host = ldap_filter_escape(module:get_option_string("realm", module.host));
|
||||
|
||||
-- Initiate connection
|
||||
local ld = nil;
|
||||
module.unload = function() if ld then pcall(ld, ld.close); end end
|
||||
|
||||
function ldap_do_once(method, ...)
|
||||
if ld == nil then
|
||||
local err;
|
||||
ld, err = lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls);
|
||||
if not ld then return nil, err, "reconnect"; end
|
||||
end
|
||||
|
||||
-- luacheck: ignore 411/success
|
||||
local success, iterator, invariant, initial = pcall(ld[method], ld, ...);
|
||||
if not success then ld = nil; return nil, iterator, "search"; end
|
||||
|
||||
local success, dn, attr = pcall(iterator, invariant, initial);
|
||||
if not success then ld = nil; return success, dn, "iter"; end
|
||||
|
||||
return dn, attr, "return";
|
||||
end
|
||||
|
||||
function ldap_do(method, retry_count, ...)
|
||||
local dn, attr, where;
|
||||
for _=1,1+retry_count do
|
||||
dn, attr, where = ldap_do_once(method, ...);
|
||||
if dn or not(attr) then break; end -- nothing or something found
|
||||
module:log("warn", "LDAP: %s %s (in %s)", tostring(dn), tostring(attr), where);
|
||||
-- otherwise retry
|
||||
end
|
||||
if not dn and attr then
|
||||
module:log("error", "LDAP: %s", tostring(attr));
|
||||
end
|
||||
return dn, attr;
|
||||
end
|
||||
|
||||
function get_user(username)
|
||||
module:log("debug", "get_user(%q)", username);
|
||||
return ldap_do("search", 2, {
|
||||
base = ldap_base;
|
||||
scope = ldap_scope;
|
||||
sizelimit = 1;
|
||||
filter = ldap_filter:gsub("%$(%a+)", {
|
||||
user = ldap_filter_escape(username);
|
||||
host = host;
|
||||
});
|
||||
});
|
||||
end
|
||||
|
||||
local provider = {};
|
||||
|
||||
function provider.create_user(username, password) -- luacheck: ignore 212
|
||||
return nil, "Account creation not available with LDAP.";
|
||||
end
|
||||
|
||||
function provider.user_exists(username)
|
||||
return not not get_user(username);
|
||||
end
|
||||
|
||||
function provider.set_password(username, password)
|
||||
local dn, attr = get_user(username);
|
||||
if not dn then return nil, attr end
|
||||
if attr.userPassword == password then return true end
|
||||
return ldap_do("modify", 2, dn, { '=', userPassword = password });
|
||||
end
|
||||
|
||||
if ldap_mode == "getpasswd" then
|
||||
function provider.get_password(username)
|
||||
local dn, attr = get_user(username);
|
||||
if dn and attr then
|
||||
return attr.userPassword;
|
||||
end
|
||||
end
|
||||
|
||||
function provider.test_password(username, password)
|
||||
return provider.get_password(username) == password;
|
||||
end
|
||||
|
||||
function provider.get_sasl_handler()
|
||||
return new_sasl(module.host, {
|
||||
plain = function(sasl, username) -- luacheck: ignore 212/sasl
|
||||
local password = provider.get_password(username);
|
||||
if not password then return "", nil; end
|
||||
return password, true;
|
||||
end
|
||||
});
|
||||
end
|
||||
elseif ldap_mode == "bind" then
|
||||
local function test_password(userdn, password)
|
||||
local ok, err = lualdap.open_simple(ldap_server, userdn, password, ldap_tls);
|
||||
if not ok then
|
||||
module:log("debug", "ldap open_simple error: %s", err);
|
||||
end
|
||||
return not not ok;
|
||||
end
|
||||
|
||||
function provider.test_password(username, password)
|
||||
local dn = get_user(username);
|
||||
if not dn then return end
|
||||
return test_password(dn, password)
|
||||
end
|
||||
|
||||
function provider.get_sasl_handler()
|
||||
return new_sasl(module.host, {
|
||||
plain_test = function(sasl, username, password) -- luacheck: ignore 212/sasl
|
||||
return provider.test_password(username, password), true;
|
||||
end
|
||||
});
|
||||
end
|
||||
else
|
||||
module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
|
||||
end
|
||||
|
||||
if ldap_admins then
|
||||
function provider.is_admin(jid)
|
||||
local username, user_host = jid_split(jid);
|
||||
if user_host ~= module.host then
|
||||
return false;
|
||||
end
|
||||
return ldap_do("search", 2, {
|
||||
base = ldap_base;
|
||||
scope = ldap_scope;
|
||||
sizelimit = 1;
|
||||
filter = ldap_admins:gsub("%$(%a+)", {
|
||||
user = ldap_filter_escape(username);
|
||||
host = host;
|
||||
});
|
||||
});
|
||||
end
|
||||
end
|
||||
|
||||
module:provides("auth", provider);
|
||||
Loading…
Add table
Add a link
Reference in a new issue