| author | Matthew Wild <mwild1@gmail.com> |
| Thu, 23 Dec 2010 20:48:24 +0000 | |
| changeset 293 | d76f47a608ab |
| parent 286 | ca6199d73d68 |
| child 305 | 4c3abf1a9b5a |
| permissions | -rw-r--r-- |
|
293
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
1 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
2 |
local new_sasl = require "util.sasl".new; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
3 |
local nodeprep = require "util.encodings".stringprep.nodeprep; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
4 |
local log = require "util.logger".init("auth_ldap"); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
5 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
6 |
local ldap_server = module:get_option("ldap_server") or "localhost"; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
7 |
local ldap_rootdn = module:get_option("ldap_rootdn") or ""; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
8 |
local ldap_password = module:get_option("ldap_password") or ""; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
9 |
local ldap_tls = module:get_option("ldap_tls"); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
10 |
local ldap_base = assert(module:get_option("ldap_base"), "ldap_base is a required option for ldap"); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
11 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
12 |
local lualdap = require "lualdap"; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
13 |
local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
14 |
module.unload = function() ld:close(); end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
15 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
16 |
function do_query(query) |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
17 |
for dn, attribs in ld:search(query) do |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
18 |
return true; -- found a result |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
19 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
20 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
21 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
22 |
local provider = { name = "ldap" }; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
23 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
24 |
local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
25 |
function provider.test_password(username, password) |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
26 |
return do_query({ |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
27 |
base = ldap_base; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
28 |
filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))"; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
29 |
}); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
30 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
31 |
function provider.user_exists(username) |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
32 |
return do_query({ |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
33 |
base = ldap_base; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
34 |
filter = "(uid="..ldap_filter_escape(username)..")"; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
35 |
}); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
36 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
37 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
38 |
function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
39 |
function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
40 |
function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
41 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
42 |
function provider.get_sasl_handler() |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
43 |
local realm = module:get_option("sasl_realm") or module.host; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
44 |
local testpass_authentication_profile = { |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
45 |
plain_test = function(username, password, realm) |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
46 |
local prepped_username = nodeprep(username); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
47 |
if not prepped_username then |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
48 |
log("debug", "NODEprep failed on username: %s", username); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
49 |
return "", nil; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
50 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
51 |
return provider.test_password(prepped_username, password), true; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
52 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
53 |
}; |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
54 |
return new_sasl(realm, testpass_authentication_profile); |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
55 |
end |
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
56 |
|
|
d76f47a608ab
mod_auth_ldap: Convert to real line endings
Matthew Wild <mwild1@gmail.com>
parents:
286
diff
changeset
|
57 |
module:add_item("auth-provider", provider); |