Commit 912a5ec7 authored by Renato Figueiro Maia's avatar Renato Figueiro Maia
Browse files

[OPENBUS-2500] Nova configuração para permitir trafegar dados de autenticação para o LDAP em claro


git-svn-id: https://subversion.tecgraf.puc-rio.br/engdist/openbus/core/branches/02_00_00@151209 ae0415b3-e90b-0410-900d-d0be9363c56b
parent 4cdb1b4b
-- $Id$
-- LDAP password validator
-- Configuration options:
-- ldap_servers : table with URLs of the LDAP servers to be contacted in the
-- form 'ldap[s]://<host>:<port>. Required.
-- ldap_patterns : table with patterns to form distinguised names (DN) by
-- replacing %U with the entity name. Default is {"%U"}
-- ldap_timeout : timeout for each LDAP access (in seconds). Default is no
-- timeout.
-- ldap_cleartext: flag to allow passing password as clear text to the LDAP
-- server that refuses TLS or does not support SSL. Default is
-- 'false'.
local _G = require "_G"
local ipairs = _G.ipairs
......@@ -14,44 +25,47 @@ local msg = require "openbus.core.services.messages"
return function(configs)
-- configuration consistence checks
local urls = {}
if not configs.ldap_servers or type(configs.ldap_servers) ~= "table" or
(type(configs.ldap_servers) == "table" and #configs.ldap_servers == 0) then
local servers = configs.ldap_servers
if type(servers) ~= "table" or #servers == 0 then
return nil, msg.LdapNoServers
end
for _, url in ipairs(configs.ldap_servers) do
if not url:match("^ldap://") and not url:match("^ldaps://") then
local patterns = configs.ldap_patterns or { "%U" }
if type(patterns) ~= "table" or #patterns == 0 then
return nil, msg.LdapNoDistinguishedNamePattern
end
local timeout = configs.ldap_timeout
if timeout ~= nil and type(timeout) ~= "number" then
return nil, msg.LdapBadTimeout:tag{value=timeout,type=type(timeout)}
end
local cleartext = configs.ldap_cleartext
-- collect server urls
local urls = {}
for _, url in ipairs(servers) do
if not url:match("^ldaps?://") then
url = "ldap://"..url
end
urls[#urls+1] = url
end
local timeout = nil
if type(configs.ldap_timeout) == "number" then
timeout = configs.ldap_timeout
end
local patterns = configs.ldap_patterns or { "" }
if type(patterns) ~= "table" then
return nil, msg.LdapBadPatternSpec:tag{type=type(patterns)}
end
-- validate function to be used in runtime
return function(name, password)
return function(entity, password)
-- avoid blank password because this may be allowed as an anonymous bind
local blankpatt ="^[%s%c%z]*$"
if type(name) ~= "string" or name:match(blankpatt) or
if type(entity) ~= "string" or entity:match(blankpatt) or
type(password) ~= "string" or password:match(blankpatt) then
return nil, msg.LdapInvalidNameOrPassword
end
local errmsg = {}
for _, url in ipairs(urls) do
for _, pattern in ipairs(patterns) do
local dn = pattern:gsub("%%U",name)
local dn = pattern:gsub("%%U",entity)
local conn, err
-- if the url indicates LDAP raw protocol, we try use LDAP+StartTLS
if url:match("^ldap://") then
conn, err = lualdap.open_simple(url, dn, password, true, timeout)
conn, err = openldap(url, dn, password, true, timeout)
end
-- if url already indicates LDAPS or if the server rejects LDAP+StartTLS
if url:match("^ldaps://") or not conn then
conn, err = lualdap.open_simple(url, dn, password, false, timeout)
-- if the server rejects LDAP+StartTLS or if url already indicates LDAPS
if (not conn and cleartext) or url:match("^ldaps://") then
conn, err = openldap(url, dn, password, false, timeout)
end
if conn ~= nil then
conn:close()
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment