dovecot/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl

require "lualdap"

function auth_passdb_lookup(req)
    local ldap_host = "{{ getenv "LDAP_HOST" }}"
    local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
    local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
    local ldap_use_tls = {{ getenv "LDAP_USE_TLS" }}

    ld = assert (lualdap.open_simple(
        ldap_host,
        ldap_bin_dn,
        ldap_bind_password,
        ldap_use_tls))

    local username = req.username
    local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
    local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
    local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"

    local user_count = 0
    for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
        user_count = user_count + 1
    end

    local user_exists = user_count == 1
    if user_exists then
        local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
        local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
        local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
        local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" }}"

        local user_password = reg.password

        for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
            lualdap.open_simple(
                ldap_host,
                dn,
                user_password,
                ldap_use_tls)
            if test_conn ~= nil then
                return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", ldap_user_attribute)
            end
        end
    else
        return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
    end

    return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"
end

function script_init()
    return 0
end

function script_deinit()
end
app passwordss cript needs to be a template 2018-02-27 13:29:28 +00:00			`require "lualdap"`

			`function auth_passdb_lookup(req)`
			`local ldap_host = "{{ getenv "LDAP_HOST" }}"`
			`local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"`
			`local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"`
			`local ldap_use_tls = {{ getenv "LDAP_USE_TLS" }}`

			`ld = assert (lualdap.open_simple(`
			`ldap_host,`
			`ldap_bin_dn,`
			`ldap_bind_password,`
			`ldap_use_tls))`

			`local username = req.username`
			`local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"`
			`local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)`
correct lua syntax 2018-02-27 13:52:38 +00:00			`local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"`
app passwordss cript needs to be a template 2018-02-27 13:29:28 +00:00
			`local user_count = 0`
			`for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do`
			`user_count = user_count + 1`
			`end`

			`local user_exists = user_count == 1`
			`if user_exists then`
			`local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"`
			`local app_base_dn_formatted = app_base_dn:gsub("%%u", username)`
			`local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"`
			`local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" }}"`

			`local user_password = reg.password`

			`for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do`
			`lualdap.open_simple(`
			`ldap_host,`
			`dn,`
			`user_password,`
			`ldap_use_tls)`
			`if test_conn ~= nil then`
correct lua syntax 2018-02-27 13:52:38 +00:00			`return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", ldap_user_attribute)`
app passwordss cript needs to be a template 2018-02-27 13:29:28 +00:00			`end`
			`end`
			`else`
			`return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"`
			`end`

			`return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"`
			`end`

			`function script_init()`
			`return 0`
			`end`

			`function script_deinit()`
			`end`