add lua app password script
This commit is contained in:
parent
044dc68da6
commit
4aa32aaa99
10
README.md
10
README.md
@ -29,8 +29,8 @@ Which authentication mechanism to use for the smtp relay.
|
||||
|
||||
Whether to use starttls for the smtp relay.
|
||||
|
||||
## LDAP_URI
|
||||
Complete uri for the authentication ldap host.
|
||||
## LDAP_HOST
|
||||
Ldap hostname (can include the port).
|
||||
|
||||
## LDAP_SIEVE_HOST
|
||||
Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`).
|
||||
@ -73,6 +73,12 @@ The ldap attribute which contains the sieve rules.
|
||||
|
||||
Whether to use tls when connecting to the ldap host.
|
||||
|
||||
## LDAP_APP_PASSWORDS_BASE_DN
|
||||
Base DN to look for app passwords for a user.
|
||||
|
||||
## LDAP_APP_PASSWORDS_FILTER
|
||||
Specifies the filter on what counts as an app password.
|
||||
|
||||
## LDAP_DEFAULT_PASSSCHEME
|
||||
- default: SSHA
|
||||
|
||||
|
@ -3,6 +3,11 @@ passdb {
|
||||
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
}
|
||||
|
||||
passdb {
|
||||
driver = lua
|
||||
args = file=/etc/dovecot/app-password-lookup.lua
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
|
||||
|
@ -1,4 +1,4 @@
|
||||
uris = {{getenv "LDAP_URI"}}
|
||||
uris = ldap://{{getenv "LDAP_URI"}}
|
||||
dn = {{getenv "LDAP_BIND_DN"}}
|
||||
dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
|
||||
tls = {{getenv "LDAP_USE_TLS" "yes"}}
|
||||
|
50
rootfs/etc/dovecot/app-password-lookup.lua
Normal file
50
rootfs/etc/dovecot/app-password-lookup.lua
Normal file
@ -0,0 +1,50 @@
|
||||
require "lualdap"
|
||||
|
||||
function auth_passdb_lookup(req)
|
||||
ldap_use_tls_env = os.getenv("LDAP_USE_TLS")
|
||||
ldap_use_tls = ldap_use_tls_env == "true" and true or false
|
||||
|
||||
ld = assert (lualdap.open_simple(
|
||||
os.getenv("LDAP_HOST"),
|
||||
os.getenv("LDAP_BIND_DN"),
|
||||
os.getenv("LDAP_BIND_PASSWORD"),
|
||||
ldap_use_tls))
|
||||
|
||||
local username = req.username
|
||||
local ldap_pass_filter = os.getenv("LDAP_PASS_FILTER"):gsub("%%u", username)
|
||||
|
||||
local user_count = 0
|
||||
for dn, attribs in ld:search { base = os.getenv("LDAP_BASE_DN"), scope = "subtree", filter = ldap_pass_filter } do
|
||||
user_count = user_count + 1
|
||||
end
|
||||
|
||||
local user_exists = user_count == 1
|
||||
if user_exists then
|
||||
local app_base_dn = os.getenv("LDAP_APP_PASSWORDS_BASE_DN")
|
||||
local app_pass_filter = os.getenv("LDAP_APP_PASSWORDS_FILTER")
|
||||
|
||||
local user_password = reg.password
|
||||
|
||||
for dn, attribs in ld:search { base = app_base_dn:gsub("%%u", username), scope = "subtree", filter = app_pass_filter } do
|
||||
lualdap.open_simple(
|
||||
os.getenv("LDAP_HOST"),
|
||||
dn,
|
||||
user_password,
|
||||
ldap_use_tls)
|
||||
if test_conn ~= nil then
|
||||
return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", os.getenv("LDAP_USER_ATTRIBUTE"))
|
||||
end
|
||||
end
|
||||
else
|
||||
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
|
||||
end
|
||||
|
||||
return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"
|
||||
end
|
||||
|
||||
function script_init()
|
||||
return 0
|
||||
end
|
||||
|
||||
function script_deinit()
|
||||
end
|
Loading…
Reference in New Issue
Block a user