view mod_lib_ldap/ldap.lib.lua @ 6319:04c3273cb81f

mod_auth_cyrus: Add empty 'profile' table to SASL handler objects This is for compatibility with Prosody's built-in util.sasl objects. A SASL profile table usually includes methods supported by the backend, which can be used by SASL mechanism handlers to perform operations (such as testing the password). It also optionally contains a 'cb' field with channel binding method handlers. The Cyrus backend doesn't support channel binding, and doesn't have the same concept of auth backend methods (it handles all that internally, and Prosody has no insight or control over it). Thus, we create an empty profile which informs Prosody that the SASL handler does not support any of the auth or channel binding methods. Some features will not work, but they didn't work anyway. This just makes it explicit. This fixes a traceback in mod_sasl2_fast, which expected SASL handlers to always contain a 'profile' field.
author Matthew Wild <mwild1@gmail.com>
date Thu, 04 Sep 2025 10:14:46 +0100
parents 66b3085ecc49
children
line wrap: on
line source

-- vim:sts=4 sw=4

-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
-- Copyright (C) 2012 Rob Hoelz
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--

local ldap;
local connection;
local params  = module:get_option("ldap");
local format  = string.format;
local tconcat = table.concat;

local _M = {};

local config_params = {
    hostname = 'string',
    user     = {
        basedn        = 'string',
        namefield     = 'string',
        filter        = 'string',
        usernamefield = 'string',
    },
    groups   = {
        basedn      = 'string',
        namefield   = 'string',
        memberfield = 'string',

        _member = {
          name  = 'string',
          admin = 'boolean?',
        },
    },
    admin    = {
        _optional = true,
        basedn    = 'string',
        namefield = 'string',
        filter    = 'string',
    }
}

local function run_validation(params, config, prefix)
    prefix = prefix or '';

    -- verify that every required member of config is present in params
    for k, v in pairs(config) do
        if type(k) == 'string' and k:sub(1, 1) ~= '_' then
            local is_optional;
            if type(v) == 'table' then
                is_optional = v._optional;
            else
                is_optional = v:sub(-1) == '?';
            end

            if not is_optional and params[k] == nil then
                return nil, prefix .. k .. ' is required';
            end
        end
    end

    for k, v in pairs(params) do
        local expected_type = config[k];

        local ok, err = true;

        if type(k) == 'string' then
            -- verify that this key is present in config
            if k:sub(1, 1) == '_' or expected_type == nil then
                return nil, 'invalid parameter ' .. prefix .. k;
            end

            -- type validation
            if type(expected_type) == 'string' then
                if expected_type:sub(-1) == '?' then
                    expected_type = expected_type:sub(1, -2);
                end

                if type(v) ~= expected_type then
                    return nil, 'invalid type for parameter ' .. prefix .. k;
                end
            else -- it's a table (or had better be)
                if type(v) ~= 'table' then
                    return nil, 'invalid type for parameter ' .. prefix .. k;
                end

                -- recurse into child
                ok, err = run_validation(v, expected_type, prefix .. k .. '.');
            end
        else -- it's an integer (or had better be)
            if not config._member then
                return nil, 'invalid parameter ' .. prefix .. tostring(k);
            end
            ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.');
        end

        if not ok then
            return ok, err;
        end
    end

    return true;
end

local function validate_config()
    if true then
        return true; -- XXX for now
    end

    -- this is almost too clever (I mean that in a bad
    -- maintainability sort of way)
    --
    -- basically this allows a free pass for a key in group members
    -- equal to params.groups.namefield
    setmetatable(config_params.groups._member, {
        __index = function(_, k)
          if k == params.groups.namefield then
              return 'string';
          end
        end
    });

    local ok, err = run_validation(params, config_params);

    setmetatable(config_params.groups._member, nil);

    if ok then
        -- a little extra validation that doesn't fit into
        -- my recursive checker
        local group_namefield = params.groups.namefield;
        for i, group in ipairs(params.groups) do
            if not group[group_namefield] then
                return nil, format('groups.%d.%s is required', i, group_namefield);
            end
        end

        -- fill in params.admin if you can
        if not params.admin and params.groups then
          local admingroup;

          for _, groupconfig in ipairs(params.groups) do
              if groupconfig.admin then
                  admingroup = groupconfig;
                  break;
              end
          end

          if admingroup then
              params.admin = {
                  basedn    = params.groups.basedn,
                  namefield = params.groups.memberfield,
                  filter    = group_namefield .. '=' .. admingroup[group_namefield],
              };
          end
        end
    end

    return ok, err;
end

-- what to do if connection isn't available?
local function connect()
    return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls);
end

-- this is abstracted so we can maintain persistent connections at a later time
function _M.getconnection()
    return assert(connect());
end

function _M.getparams()
  return params;
end

-- XXX consider renaming this...it doesn't bind the current connection
function _M.bind(username, password)
    local conn   = _M.getconnection();
    local filter = format('%s=%s', params.user.usernamefield, username);

    if filter then
        filter = _M.filter.combine_and(filter, params.user.filter);
    end

    local who = _M.singlematch {
        attrs     = params.user.usernamefield,
        base      = params.user.basedn,
        filter    = filter,
    };

    if who then
        who = who.dn;
        module:log('debug', '_M.bind - who: %s', who);
    else
        module:log('debug', '_M.bind - no DN found for username = %s', username);
        return nil, format('no DN found for username = %s', username);
    end

    local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls);

    if conn then
        conn:close();
        return true;
    end

    return conn, err;
end

function _M.singlematch(query)
    local ld = _M.getconnection();

    query.sizelimit = 1;
    query.scope     = 'subtree';

    for dn, attribs in ld:search(query) do
        attribs.dn = dn;
        return attribs;
    end
end

_M.filter = {};

function _M.filter.combine_and(...)
    local parts = { '(&' };

    local arg = { ... };

    for _, filter in ipairs(arg) do
        if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then
            filter = '(' .. filter .. ')'
        end
        parts[#parts + 1] = filter;
    end

    parts[#parts + 1] = ')';

    return tconcat(parts, '');
end

do
    local ok, err;

    prosody.unlock_globals();
    ok, ldap = pcall(require, 'lualdap');
    prosody.lock_globals();
    if not ok then
        module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap);
        module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap");
        return;
    end

    if not params then
        module:log("error", "LDAP configuration required to use the LDAP storage module");
        return;
    end

    ok, err = validate_config();

    if not ok then
        module:log("error", "LDAP configuration is invalid: %s", tostring(err));
        return;
    end
end

return _M;