require "lualdap"

function auth_passdb_lookup(req)
    ldap_use_tls_env = os.getenv("LDAP_USE_TLS")
    ldap_use_tls = ldap_use_tls_env == "true" and true or false

    ld = assert (lualdap.open_simple(
        os.getenv("LDAP_HOST"),
        os.getenv("LDAP_BIND_DN"),
        os.getenv("LDAP_BIND_PASSWORD"),
        ldap_use_tls))

    local username = req.username
    local ldap_pass_filter = os.getenv("LDAP_PASS_FILTER"):gsub("%%u", username)

    local user_count = 0
    for dn, attribs in ld:search { base = os.getenv("LDAP_BASE_DN"), scope = "subtree", filter = ldap_pass_filter } do
        user_count = user_count + 1
    end

    local user_exists = user_count == 1
    if user_exists then
        local app_base_dn = os.getenv("LDAP_APP_PASSWORDS_BASE_DN")
        local app_pass_filter = os.getenv("LDAP_APP_PASSWORDS_FILTER")

        local user_password = reg.password

        for dn, attribs in ld:search { base = app_base_dn:gsub("%%u", username), scope = "subtree", filter = app_pass_filter } do
            lualdap.open_simple(
                os.getenv("LDAP_HOST"),
                dn,
                user_password,
                ldap_use_tls)
            if test_conn ~= nil then
                return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", os.getenv("LDAP_USER_ATTRIBUTE"))
            end
        end
    else
        return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
    end

    return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"
end

function script_init()
    return 0
end

function script_deinit()
end