app passwordss cript needs to be a template

This commit is contained in:
Sebastian Hugentobler 2018-02-27 14:29:28 +01:00
parent 6148c043b8
commit 5df18cf04c
3 changed files with 59 additions and 50 deletions

View File

@ -0,0 +1,3 @@
[template]
src = "app-passwords-lookup.lua.tmpl"
dest = "/etc/dovecot/app-passwords-lookup.lua"

View File

@ -0,0 +1,56 @@
require "lualdap"
function auth_passdb_lookup(req)
local ldap_host = "{{ getenv "LDAP_HOST" }}"
local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
local ldap_use_tls = {{ getenv "LDAP_USE_TLS" }}
ld = assert (lualdap.open_simple(
ldap_host,
ldap_bin_dn,
ldap_bind_password,
ldap_use_tls))
local username = req.username
local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
local ldap_base_dn = {{ getenv "LDAP_BASE_DN" }}
local user_count = 0
for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
user_count = user_count + 1
end
local user_exists = user_count == 1
if user_exists then
local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" }}"
local user_password = reg.password
for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
lualdap.open_simple(
ldap_host,
dn,
user_password,
ldap_use_tls)
if test_conn ~= nil then
return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", ldap_user_attribute))
end
end
else
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
end
return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"
end
function script_init()
return 0
end
function script_deinit()
end

View File

@ -1,50 +0,0 @@
require "lualdap"
function auth_passdb_lookup(req)
ldap_use_tls_env = os.getenv("LDAP_USE_TLS")
ldap_use_tls = ldap_use_tls_env == "true" and true or false
ld = assert (lualdap.open_simple(
os.getenv("LDAP_HOST"),
os.getenv("LDAP_BIND_DN"),
os.getenv("LDAP_BIND_PASSWORD"),
ldap_use_tls))
local username = req.username
local ldap_pass_filter = os.getenv("LDAP_PASS_FILTER"):gsub("%%u", username)
local user_count = 0
for dn, attribs in ld:search { base = os.getenv("LDAP_BASE_DN"), scope = "subtree", filter = ldap_pass_filter } do
user_count = user_count + 1
end
local user_exists = user_count == 1
if user_exists then
local app_base_dn = os.getenv("LDAP_APP_PASSWORDS_BASE_DN")
local app_pass_filter = os.getenv("LDAP_APP_PASSWORDS_FILTER")
local user_password = reg.password
for dn, attribs in ld:search { base = app_base_dn:gsub("%%u", username), scope = "subtree", filter = app_pass_filter } do
lualdap.open_simple(
os.getenv("LDAP_HOST"),
dn,
user_password,
ldap_use_tls)
if test_conn ~= nil then
return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", os.getenv("LDAP_USER_ATTRIBUTE"))
end
end
else
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
end
return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"
end
function script_init()
return 0
end
function script_deinit()
end