From a0e91abfe30be8005bc1748157d6c7829499a375 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 5 Oct 2021 17:25:01 +0200
Subject: mod_auth_ldap: Import from prosody-modules rev f52452911187

---
 plugins/mod_auth_ldap.lua | 154 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 154 insertions(+)
 create mode 100644 plugins/mod_auth_ldap.lua

(limited to 'plugins/mod_auth_ldap.lua')

diff --git a/plugins/mod_auth_ldap.lua b/plugins/mod_auth_ldap.lua
new file mode 100644
index 00000000..4d484aaa
--- /dev/null
+++ b/plugins/mod_auth_ldap.lua
@@ -0,0 +1,154 @@
+-- mod_auth_ldap
+
+local jid_split = require "util.jid".split;
+local new_sasl = require "util.sasl".new;
+local lualdap = require "lualdap";
+
+local function ldap_filter_escape(s)
+	return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end));
+end
+
+-- Config options
+local ldap_server = module:get_option_string("ldap_server", "localhost");
+local ldap_rootdn = module:get_option_string("ldap_rootdn", "");
+local ldap_password = module:get_option_string("ldap_password", "");
+local ldap_tls = module:get_option_boolean("ldap_tls");
+local ldap_scope = module:get_option_string("ldap_scope", "subtree");
+local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1);
+local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
+local ldap_mode = module:get_option_string("ldap_mode", "bind");
+local ldap_admins = module:get_option_string("ldap_admin_filter",
+	module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation
+local host = ldap_filter_escape(module:get_option_string("realm", module.host));
+
+-- Initiate connection
+local ld = nil;
+module.unload = function() if ld then pcall(ld, ld.close); end end
+
+function ldap_do_once(method, ...)
+	if ld == nil then
+		local err;
+		ld, err = lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls);
+		if not ld then return nil, err, "reconnect"; end
+	end
+
+	-- luacheck: ignore 411/success
+	local success, iterator, invariant, initial = pcall(ld[method], ld, ...);
+	if not success then ld = nil; return nil, iterator, "search"; end
+
+	local success, dn, attr = pcall(iterator, invariant, initial);
+	if not success then ld = nil; return success, dn, "iter"; end
+
+	return dn, attr, "return";
+end
+
+function ldap_do(method, retry_count, ...)
+	local dn, attr, where;
+	for _=1,1+retry_count do
+		dn, attr, where = ldap_do_once(method, ...);
+		if dn or not(attr) then break; end -- nothing or something found
+		module:log("warn", "LDAP: %s %s (in %s)", tostring(dn), tostring(attr), where);
+		-- otherwise retry
+	end
+	if not dn and attr then
+		module:log("error", "LDAP: %s", tostring(attr));
+	end
+	return dn, attr;
+end
+
+function get_user(username)
+	module:log("debug", "get_user(%q)", username);
+	return ldap_do("search", 2, {
+		base = ldap_base;
+		scope = ldap_scope;
+		sizelimit = 1;
+		filter = ldap_filter:gsub("%$(%a+)", {
+			user = ldap_filter_escape(username);
+			host = host;
+		});
+	});
+end
+
+local provider = {};
+
+function provider.create_user(username, password) -- luacheck: ignore 212
+	return nil, "Account creation not available with LDAP.";
+end
+
+function provider.user_exists(username)
+	return not not get_user(username);
+end
+
+function provider.set_password(username, password)
+	local dn, attr = get_user(username);
+	if not dn then return nil, attr end
+	if attr.userPassword == password then return true end
+	return ldap_do("modify", 2, dn, { '=', userPassword = password });
+end
+
+if ldap_mode == "getpasswd" then
+	function provider.get_password(username)
+		local dn, attr = get_user(username);
+		if dn and attr then
+			return attr.userPassword;
+		end
+	end
+
+	function provider.test_password(username, password)
+		return provider.get_password(username) == password;
+	end
+
+	function provider.get_sasl_handler()
+		return new_sasl(module.host, {
+			plain = function(sasl, username) -- luacheck: ignore 212/sasl
+				local password = provider.get_password(username);
+				if not password then return "", nil; end
+				return password, true;
+			end
+		});
+	end
+elseif ldap_mode == "bind" then
+	local function test_password(userdn, password)
+		local ok, err = lualdap.open_simple(ldap_server, userdn, password, ldap_tls);
+		if not ok then
+			module:log("debug", "ldap open_simple error: %s", err);
+		end
+		return not not ok;
+	end
+
+	function provider.test_password(username, password)
+		local dn = get_user(username);
+		if not dn then return end
+		return test_password(dn, password)
+	end
+
+	function provider.get_sasl_handler()
+		return new_sasl(module.host, {
+			plain_test = function(sasl, username, password) -- luacheck: ignore 212/sasl
+				return provider.test_password(username, password), true;
+			end
+		});
+	end
+else
+	module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
+end
+
+if ldap_admins then
+	function provider.is_admin(jid)
+		local username, user_host = jid_split(jid);
+		if user_host ~= module.host then
+			return false;
+		end
+		return ldap_do("search", 2, {
+			base = ldap_base;
+			scope = ldap_scope;
+			sizelimit = 1;
+			filter = ldap_admins:gsub("%$(%a+)", {
+				user = ldap_filter_escape(username);
+				host = host;
+			});
+		});
+	end
+end
+
+module:provides("auth", provider);
-- 
cgit v1.2.3