#1603 Extend mod_auth_ldap for dereferencing aliased objects

Reporter Gerrit Beine
Owner Nobody
Created
Updated
Stars ★ (1)
Tags
  • Priority-Medium
  • Type-Enhancement
  • Status-New
  1. Gerrit Beine on

    This patch enables mod_auth_ldap to work with aliased users. The dn of the alias object is replaced with the dn of the aliased object. It implements the behaviour of LDAP_OPT_DEREF set to LDAP_DEREF_ALWAYS as described in https://linux.die.net/man/3/ldap_set_option. --- mod_auth_ldap/mod_auth_ldap.lua 2020-04-25 23:22:19.000000000 +0200 +++ mod_auth_ldap3/mod_auth_ldap3.lua 2020-10-29 00:13:34.479577150 +0100 @@ -3,6 +3,7 @@ local jid_split = require "util.jid".split; local new_sasl = require "util.sasl".new; local lualdap = require "lualdap"; +local inspect = require "inspect"; local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); @@ -16,6 +17,7 @@ local ldap_scope = module:get_option_string("ldap_scope", "subtree"); local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1); local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); +local ldap_deref = module:get_option_string("ldap_deref", "always"); local ldap_mode = module:get_option_string("ldap_mode", "bind"); local ldap_admins = module:get_option_string("ldap_admin_filter", module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation @@ -44,6 +46,12 @@ function ldap_do(method, retry_count, ...) local dn, attr, where; + local function contains(table, x) + for _, v in pairs(table) do + if v == x then return true end + end + return false + end for _=1,1+retry_count do dn, attr, where = ldap_do_once(method, ...); if dn or not(attr) then break; end -- nothing or something found @@ -53,6 +61,12 @@ if not dn and attr then module:log("error", "LDAP: %s", tostring(attr)); end + if ldap_deref == "always" and contains(attr["objectClass"], "alias") and attr["aliasedObjectName"] ~= nil then + module:log("debug", "LDAP dn: %s", inspect(attr["aliasedObjectName"])); + dn = attr["aliasedObjectName"] + end + module:log("debug", "LDAP dn: %s", tostring(dn)); + module:log("debug", "LDAP attr: %s", inspect(attr)); return dn, attr; end

  2. Gerrit Beine on

    I've made it available via GitHub, that's easier to deal with. I also removed the inspect dependency.

  3. Gerrit Beine on

    Here is the link to the GitHub repository: https://github.com/gbeine/prosody-modules/commit/82dc305d21d20e57e739359da9657001668ab8f3

New comment

Not published. Used for spam prevention and optional update notifications.