| author | Kim Alvefur <zash@zash.se> |
| Tue, 05 Aug 2014 15:23:35 +0200 | |
| changeset 1479 | 9a0a0cfd3710 |
| parent 1478 | 099583539e2c |
| child 1593 | 3e4d15ae2133 |
| child 1613 | 5f139770061e |
| permissions | -rw-r--r-- |
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
1 |
-- mod_auth_ldap |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
2 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
3 |
local new_sasl = require "util.sasl".new; |
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
4 |
local lualdap = require "lualdap"; |
|
1478
099583539e2c
mod_auth_ldap: Remove excess backslashes from escape pattern
Kim Alvefur <zash@zash.se>
parents:
1376
diff
changeset
|
5 |
local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
6 |
|
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
7 |
-- Config options |
|
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
8 |
local ldap_server = module:get_option_string("ldap_server", "localhost"); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
9 |
local ldap_rootdn = module:get_option_string("ldap_rootdn", ""); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
10 |
local ldap_password = module:get_option_string("ldap_password", ""); |
|
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
11 |
local ldap_tls = module:get_option_boolean("ldap_tls"); |
|
1163
52bee1247014
mod_auth_ldap: Add a configurable scope, defaulting to onelevel
Kim Alvefur <zash@zash.se>
parents:
1162
diff
changeset
|
12 |
local ldap_scope = module:get_option_string("ldap_scope", "onelevel"); |
|
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
13 |
local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1); |
|
1162
8e3420d48508
mod_auth_ldap: Switch to type-specific get_option variants
Kim Alvefur <zash@zash.se>
parents:
902
diff
changeset
|
14 |
local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); |
|
1479
9a0a0cfd3710
mod_auth_ldap: Change default for ldap_mode to "bind", everyone seems to be using that
Kim Alvefur <zash@zash.se>
parents:
1478
diff
changeset
|
15 |
local ldap_mode = module:get_option_string("ldap_mode", "bind"); |
|
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
16 |
local host = ldap_filter_escape(module:get_option_string("realm", module.host)); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
17 |
|
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
18 |
-- Initiate connection |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
19 |
local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
20 |
module.unload = function() ld:close(); end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
21 |
|
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
22 |
local function get_user(username) |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
23 |
module:log("debug", "get_user(%q)", username); |
|
1374
ab638f6b53dc
mod_auth_ldap: Fix issue with some versions of LuaLDAP
Kim Alvefur <zash@zash.se>
parents:
1287
diff
changeset
|
24 |
for dn, attr in ld:search({ |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
25 |
base = ldap_base; |
|
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
26 |
scope = ldap_scope; |
|
1375
90bde50b3915
mod_auth_ldap: Limit results in user lookup query to 1
Kim Alvefur <zash@zash.se>
parents:
1374
diff
changeset
|
27 |
sizelimit = 1; |
|
1287
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
28 |
filter = ldap_filter:gsub("%$(%a+)", { |
|
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
29 |
user = ldap_filter_escape(username); |
|
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
30 |
host = host; |
|
da2e593317d7
mod_auth_ldap: Switch config format for ldap_filter to eg (uid=$user)
Kim Alvefur <zash@zash.se>
parents:
1274
diff
changeset
|
31 |
}); |
|
1374
ab638f6b53dc
mod_auth_ldap: Fix issue with some versions of LuaLDAP
Kim Alvefur <zash@zash.se>
parents:
1287
diff
changeset
|
32 |
}) do return dn, attr; end |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
33 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
34 |
|
|
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
35 |
local provider = {}; |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
36 |
|
|
1273
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
37 |
function provider.create_user(username, password) |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
38 |
return nil, "Account creation not available with LDAP."; |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
39 |
end |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
40 |
|
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
41 |
function provider.user_exists(username) |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
42 |
return not not get_user(username); |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
43 |
end |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
44 |
|
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
45 |
function provider.set_password(username, password) |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
46 |
local dn, attr = get_user(username); |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
47 |
if not dn then return nil, attr end |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
48 |
if attr.userPassword == password then return true end |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
49 |
return ld:modify(dn, { '=', userPassword = password })(); |
|
1b543060f31e
mod_auth_ldap: Cleanup, reorder and some comments
Kim Alvefur <zash@zash.se>
parents:
1221
diff
changeset
|
50 |
end |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
51 |
|
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
52 |
if ldap_mode == "getpasswd" then |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
53 |
function provider.get_password(username) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
54 |
local dn, attr = get_user(username); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
55 |
if dn and attr then |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
56 |
return attr.userPassword; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
57 |
end |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
58 |
end |
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
59 |
|
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
60 |
function provider.test_password(username, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
61 |
return provider.get_password(username) == password; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
62 |
end |
|
1190
c99d8b666eb4
mod_auth_ldap: Convert from plain_test to plain mode, allowing SCRAM and similar.
Kim Alvefur <zash@zash.se>
parents:
1163
diff
changeset
|
63 |
|
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
64 |
function provider.get_sasl_handler() |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
65 |
return new_sasl(module.host, { |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
66 |
plain = function(sasl, username) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
67 |
local password = provider.get_password(username); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
68 |
if not password then return "", nil; end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
69 |
return password, true; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
70 |
end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
71 |
}); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
72 |
end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
73 |
elseif ldap_mode == "bind" then |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
74 |
local function test_password(userdn, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
75 |
return not not lualdap.open_simple(ldap_server, userdn, password, ldap_tls); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
76 |
end |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
77 |
|
|
1274
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
78 |
function provider.test_password(username, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
79 |
local dn = get_user(username); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
80 |
if not dn then return end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
81 |
return test_password(dn, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
82 |
end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
83 |
|
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
84 |
function provider.get_sasl_handler() |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
85 |
return new_sasl(module.host, { |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
86 |
plain_test = function(sasl, username, password) |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
87 |
return provider.test_password(username, password), true; |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
88 |
end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
89 |
}); |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
90 |
end |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
91 |
else |
|
4b15437d6c56
mod_auth_ldap: Add support for binding
Kim Alvefur <zash@zash.se>
parents:
1273
diff
changeset
|
92 |
module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode)); |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
93 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
94 |
|
|
814
881ec9919144
mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents:
342
diff
changeset
|
95 |
module:provides("auth", provider); |