#1603 Extend mod_auth_ldap for dereferencing aliased objects
Reporter
Gerrit Beine
Owner
Nobody
Created
Updated
Stars
★ (1)
Tags
Priority-Medium
Status-New
Type-Enhancement
Gerrit Beine
on
This patch enables mod_auth_ldap to work with aliased users.
The dn of the alias object is replaced with the dn of the aliased object.
It implements the behaviour of LDAP_OPT_DEREF set to LDAP_DEREF_ALWAYS as described in https://linux.die.net/man/3/ldap_set_option.
--- mod_auth_ldap/mod_auth_ldap.lua 2020-04-25 23:22:19.000000000 +0200
+++ mod_auth_ldap3/mod_auth_ldap3.lua 2020-10-29 00:13:34.479577150 +0100
@@ -3,6 +3,7 @@
local jid_split = require "util.jid".split;
local new_sasl = require "util.sasl".new;
local lualdap = require "lualdap";
+local inspect = require "inspect";
local function ldap_filter_escape(s)
return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end));
@@ -16,6 +17,7 @@
local ldap_scope = module:get_option_string("ldap_scope", "subtree");
local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1);
local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap");
+local ldap_deref = module:get_option_string("ldap_deref", "always");
local ldap_mode = module:get_option_string("ldap_mode", "bind");
local ldap_admins = module:get_option_string("ldap_admin_filter",
module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation
@@ -44,6 +46,12 @@
function ldap_do(method, retry_count, ...)
local dn, attr, where;
+ local function contains(table, x)
+ for _, v in pairs(table) do
+ if v == x then return true end
+ end
+ return false
+ end
for _=1,1+retry_count do
dn, attr, where = ldap_do_once(method, ...);
if dn or not(attr) then break; end -- nothing or something found
@@ -53,6 +61,12 @@
if not dn and attr then
module:log("error", "LDAP: %s", tostring(attr));
end
+ if ldap_deref == "always" and contains(attr["objectClass"], "alias") and attr["aliasedObjectName"] ~= nil then
+ module:log("debug", "LDAP dn: %s", inspect(attr["aliasedObjectName"]));
+ dn = attr["aliasedObjectName"]
+ end
+ module:log("debug", "LDAP dn: %s", tostring(dn));
+ module:log("debug", "LDAP attr: %s", inspect(attr));
return dn, attr;
end
Gerrit Beine
on
I've made it available via GitHub, that's easier to deal with.
I also removed the inspect dependency.
This patch enables mod_auth_ldap to work with aliased users. The dn of the alias object is replaced with the dn of the aliased object. It implements the behaviour of LDAP_OPT_DEREF set to LDAP_DEREF_ALWAYS as described in https://linux.die.net/man/3/ldap_set_option. --- mod_auth_ldap/mod_auth_ldap.lua 2020-04-25 23:22:19.000000000 +0200 +++ mod_auth_ldap3/mod_auth_ldap3.lua 2020-10-29 00:13:34.479577150 +0100 @@ -3,6 +3,7 @@ local jid_split = require "util.jid".split; local new_sasl = require "util.sasl".new; local lualdap = require "lualdap"; +local inspect = require "inspect"; local function ldap_filter_escape(s) return (s:gsub("[*()\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); @@ -16,6 +17,7 @@ local ldap_scope = module:get_option_string("ldap_scope", "subtree"); local ldap_filter = module:get_option_string("ldap_filter", "(uid=$user)"):gsub("%%s", "$user", 1); local ldap_base = assert(module:get_option_string("ldap_base"), "ldap_base is a required option for ldap"); +local ldap_deref = module:get_option_string("ldap_deref", "always"); local ldap_mode = module:get_option_string("ldap_mode", "bind"); local ldap_admins = module:get_option_string("ldap_admin_filter", module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation @@ -44,6 +46,12 @@ function ldap_do(method, retry_count, ...) local dn, attr, where; + local function contains(table, x) + for _, v in pairs(table) do + if v == x then return true end + end + return false + end for _=1,1+retry_count do dn, attr, where = ldap_do_once(method, ...); if dn or not(attr) then break; end -- nothing or something found @@ -53,6 +61,12 @@ if not dn and attr then module:log("error", "LDAP: %s", tostring(attr)); end + if ldap_deref == "always" and contains(attr["objectClass"], "alias") and attr["aliasedObjectName"] ~= nil then + module:log("debug", "LDAP dn: %s", inspect(attr["aliasedObjectName"])); + dn = attr["aliasedObjectName"] + end + module:log("debug", "LDAP dn: %s", tostring(dn)); + module:log("debug", "LDAP attr: %s", inspect(attr)); return dn, attr; end
I've made it available via GitHub, that's easier to deal with. I also removed the inspect dependency.
Here is the link to the GitHub repository: https://github.com/gbeine/prosody-modules/commit/82dc305d21d20e57e739359da9657001668ab8f3