mod_auth_ldap: Add support for having admin status indicated in LDAP

Tue, 01 Mar 2016 10:40:25 +0100

author
Kim Alvefur <zash@zash.se>
date
Tue, 01 Mar 2016 10:40:25 +0100
changeset 2056
e16593e7d482
parent 2055
2c6d84fb82d9
child 2057
1c126c49f5c1

mod_auth_ldap: Add support for having admin status indicated in LDAP

mod_auth_ldap/README.markdown file | annotate | diff | comparison | revisions
mod_auth_ldap/mod_auth_ldap.lua file | annotate | diff | comparison | revisions
--- a/mod_auth_ldap/README.markdown	Tue Mar 01 10:31:10 2016 +0100
+++ b/mod_auth_ldap/README.markdown	Tue Mar 01 10:40:25 2016 +0100
@@ -40,6 +40,7 @@
   ldap\_scope      Search scope. other values: "base" and "onelevel"                                                                      `"subtree"`
   ldap\_tls        Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported.   `false`
   ldap\_mode       How passwords are validated.                                                                                           `"bind"`
+  ldap\_admins     Search filter to match admins, works like ldap\_scope
 
 **Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like
 `~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS
--- a/mod_auth_ldap/mod_auth_ldap.lua	Tue Mar 01 10:31:10 2016 +0100
+++ b/mod_auth_ldap/mod_auth_ldap.lua	Tue Mar 01 10:40:25 2016 +0100
@@ -1,5 +1,6 @@
 -- mod_auth_ldap
 
+local jid_split = require "util.jid".split;
 local new_sasl = require "util.sasl".new;
 local lualdap = require "lualdap";
 local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end
@@ -13,6 +14,7 @@
 local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1);
 local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
 local ldap_mode = module:get_option_string("ldap_mode", "bind");
+local ldap_admins = module:get_option_string("ldap_admin_filter");
 local host = ldap_filter_escape(module:get_option_string("realm", module.host));
 
 -- Initiate connection
@@ -122,4 +124,19 @@
 	module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
 end
 
+if ldap_admins then
+	function provider.is_admin(jid)
+		local username = jid_split(jid);
+		return ldap_do("search", 2, {
+			base = ldap_base;
+			scope = ldap_scope;
+			sizelimit = 1;
+			filter = ldap_admins:gsub("%$(%a+)", {
+				user = ldap_filter_escape(username);
+				host = host;
+			});
+		});
+	end
+end
+
 module:provides("auth", provider);

mercurial