prosody-modules: mod_auth_ldap/mod_auth_ldap.lua@062ed39a1805 (annotated)

1273 1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	1	-- mod_auth_ldap
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	2
d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	3	local new_sasl = require "util.sasl".new;
1273 1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	4	local lualdap = require "lualdap";
1478 099583539e2c mod_auth_ldap: Remove excess backslashes from escape pattern Kim Alvefur <zash@zash.se> parents: 1376 diff changeset	5	local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	6
1273 1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	7	-- Config options
1162 8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants Kim Alvefur <zash@zash.se> parents: 902 diff changeset	8	local ldap_server = module:get_option_string("ldap_server", "localhost");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants Kim Alvefur <zash@zash.se> parents: 902 diff changeset	9	local ldap_rootdn = module:get_option_string("ldap_rootdn", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants Kim Alvefur <zash@zash.se> parents: 902 diff changeset	10	local ldap_password = module:get_option_string("ldap_password", "");
8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants Kim Alvefur <zash@zash.se> parents: 902 diff changeset	11	local ldap_tls = module:get_option_boolean("ldap_tls");
1163 52bee1247014 mod_auth_ldap: Add a configurable scope, defaulting to onelevel Kim Alvefur <zash@zash.se> parents: 1162 diff changeset	12	local ldap_scope = module:get_option_string("ldap_scope", "onelevel");
1287 da2e593317d7 mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user) Kim Alvefur <zash@zash.se> parents: 1274 diff changeset	13	local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1);
1162 8e3420d48508 mod_auth_ldap: Switch to type-specific get_option variants Kim Alvefur <zash@zash.se> parents: 902 diff changeset	14	local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
1479 9a0a0cfd3710 mod_auth_ldap: Change default for ldap_mode to "bind", everyone seems to be using that Kim Alvefur <zash@zash.se> parents: 1478 diff changeset	15	local ldap_mode = module:get_option_string("ldap_mode", "bind");
1287 da2e593317d7 mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user) Kim Alvefur <zash@zash.se> parents: 1274 diff changeset	16	local host = ldap_filter_escape(module:get_option_string("realm", module.host));
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	17
1273 1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	18	-- Initiate connection
1613 5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	19	local ld = nil;
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	20	module.unload = function() if ld then pcall(ld, ld.close); end end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	21
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	22	function ldap_search_once(args)
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	23	if ld == nil then
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	24	local err;
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	25	ld, err = lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls);
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	26	if not ld then return nil, err, "reconnect"; end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	27	end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	28
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	29	local success, iterator, invariant, initial = pcall(ld.search, ld, args);
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	30	if not success then ld = nil; return nil, iterator, "search"; end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	31
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	32	local success, dn, attr = pcall(iterator, invariant, initial);
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	33	if not success then ld = nil; return success, dn, "iter"; end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	34
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	35	return dn, attr, "return";
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	36	end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	37
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	38	function ldap_search(args, retry_count)
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	39	local dn, attr, where;
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	40	for i=1,1+retry_count do
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	41	dn, attr, where = ldap_search_once(args);
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	42	if dn or not(attr) then break; end -- nothing or something found
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	43	module:log("warn", "LDAP: %s %s (in %s)", tostring(dn), tostring(attr), where);
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	44	-- otherwise retry
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	45	end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	46	if not dn and attr then
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	47	module:log("error", "LDAP: %s", tostring(attr));
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	48	end
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	49	return dn, attr;
5f139770061e mod_auth_ldap: Connect to LDAP lazily, and add support for reconnects on error. Waqas Hussain <waqas20@gmail.com> parents: 1479 diff changeset	50	end
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	51
1190 c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar. Kim Alvefur <zash@zash.se> parents: 1163 diff changeset	52	local function get_user(username)
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar. Kim Alvefur <zash@zash.se> parents: 1163 diff changeset	53	module:log("debug", "get_user(%q)", username);
1614 062ed39a1805 mod_auth_ldap: Fix nil traceback when using uninitialized LDAP connection. Waqas Hussain <waqas20@gmail.com> parents: 1613 diff changeset	54	for dn, attr in ldap_search({
1190 c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar. Kim Alvefur <zash@zash.se> parents: 1163 diff changeset	55	base = ldap_base;
c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar. Kim Alvefur <zash@zash.se> parents: 1163 diff changeset	56	scope = ldap_scope;
1375 90bde50b3915 mod_auth_ldap: Limit results in user lookup query to 1 Kim Alvefur <zash@zash.se> parents: 1374 diff changeset	57	sizelimit = 1;
1287 da2e593317d7 mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user) Kim Alvefur <zash@zash.se> parents: 1274 diff changeset	58	filter = ldap_filter:gsub("%$(%a+)", {
da2e593317d7 mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user) Kim Alvefur <zash@zash.se> parents: 1274 diff changeset	59	user = ldap_filter_escape(username);
da2e593317d7 mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user) Kim Alvefur <zash@zash.se> parents: 1274 diff changeset	60	host = host;
da2e593317d7 mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user) Kim Alvefur <zash@zash.se> parents: 1274 diff changeset	61	});
1614 062ed39a1805 mod_auth_ldap: Fix nil traceback when using uninitialized LDAP connection. Waqas Hussain <waqas20@gmail.com> parents: 1613 diff changeset	62	}, 3) do return dn, attr; end
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	63	end
d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	64
814 881ec9919144 mod_auth_: Use module:provides(), and don't explicitly specify provider.name. Waqas Hussain <waqas20@gmail.com>* parents: 342 diff changeset	65	local provider = {};
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	66
1273 1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	67	function provider.create_user(username, password)
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	68	return nil, "Account creation not available with LDAP.";
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	69	end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	70
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	71	function provider.user_exists(username)
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	72	return not not get_user(username);
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	73	end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	74
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	75	function provider.set_password(username, password)
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	76	local dn, attr = get_user(username);
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	77	if not dn then return nil, attr end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	78	if attr.userPassword == password then return true end
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	79	return ld:modify(dn, { '=', userPassword = password })();
1b543060f31e mod_auth_ldap: Cleanup, reorder and some comments Kim Alvefur <zash@zash.se> parents: 1221 diff changeset	80	end
1274 4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	81
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	82	if ldap_mode == "getpasswd" then
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	83	function provider.get_password(username)
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	84	local dn, attr = get_user(username);
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	85	if dn and attr then
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	86	return attr.userPassword;
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	87	end
1190 c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar. Kim Alvefur <zash@zash.se> parents: 1163 diff changeset	88	end
1274 4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	89
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	90	function provider.test_password(username, password)
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	91	return provider.get_password(username) == password;
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	92	end
1190 c99d8b666eb4 mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar. Kim Alvefur <zash@zash.se> parents: 1163 diff changeset	93
1274 4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	94	function provider.get_sasl_handler()
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	95	return new_sasl(module.host, {
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	96	plain = function(sasl, username)
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	97	local password = provider.get_password(username);
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	98	if not password then return "", nil; end
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	99	return password, true;
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	100	end
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	101	});
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	102	end
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	103	elseif ldap_mode == "bind" then
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	104	local function test_password(userdn, password)
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	105	return not not lualdap.open_simple(ldap_server, userdn, password, ldap_tls);
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	106	end
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	107
1274 4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	108	function provider.test_password(username, password)
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	109	local dn = get_user(username);
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	110	if not dn then return end
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	111	return test_password(dn, password)
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	112	end
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	113
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	114	function provider.get_sasl_handler()
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	115	return new_sasl(module.host, {
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	116	plain_test = function(sasl, username, password)
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	117	return provider.test_password(username, password), true;
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	118	end
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	119	});
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	120	end
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	121	else
4b15437d6c56 mod_auth_ldap: Add support for binding Kim Alvefur <zash@zash.se> parents: 1273 diff changeset	122	module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
293 d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	123	end
d76f47a608ab mod_auth_ldap: Convert to real line endings Matthew Wild <mwild1@gmail.com> parents: 286 diff changeset	124
814 881ec9919144 mod_auth_: Use module:provides(), and don't explicitly specify provider.name. Waqas Hussain <waqas20@gmail.com>* parents: 342 diff changeset	125	module:provides("auth", provider);

author	Waqas Hussain <waqas20@gmail.com>
	Fri, 13 Feb 2015 10:44:23 -0500
changeset 1614	062ed39a1805
parent 1613	5f139770061e
child 1615	770236ea9678
permissions	-rw-r--r--