--- a/mod_auth_ldap/README.markdown Tue Mar 01 10:31:10 2016 +0100
+++ b/mod_auth_ldap/README.markdown Tue Mar 01 10:40:25 2016 +0100
@@ -40,6 +40,7 @@
ldap\_scope Search scope. other values: "base" and "onelevel" `"subtree"`
ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false`
ldap\_mode How passwords are validated. `"bind"`
+ ldap\_admins Search filter to match admins, works like ldap\_scope
**Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like
`~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS
--- a/mod_auth_ldap/mod_auth_ldap.lua Tue Mar 01 10:31:10 2016 +0100
+++ b/mod_auth_ldap/mod_auth_ldap.lua Tue Mar 01 10:40:25 2016 +0100
@@ -1,5 +1,6 @@
-- mod_auth_ldap
+local jid_split = require "util.jid".split;
local new_sasl = require "util.sasl".new;
local lualdap = require "lualdap";
local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
@@ -13,6 +14,7 @@
local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1);
local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
local ldap_mode = module:get_option_string("ldap_mode", "bind");
+local ldap_admins = module:get_option_string("ldap_admin_filter");
local host = ldap_filter_escape(module:get_option_string("realm", module.host));
-- Initiate connection
@@ -122,4 +124,19 @@
module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
end
+if ldap_admins then
+ function provider.is_admin(jid)
+ local username = jid_split(jid);
+ return ldap_do("search", 2, {
+ base = ldap_base;
+ scope = ldap_scope;
+ sizelimit = 1;
+ filter = ldap_admins:gsub("%$(%a+)", {
+ user = ldap_filter_escape(username);
+ host = host;
+ });
+ });
+ end
+end
+
module:provides("auth", provider);