annotate env/ldap/check_credentials.lua @ 1738:38a8b840bff7
Create individual privilege only if configured
 | author | bsw | 
 | date | Mon Oct 11 09:41:05 2021 +0200 (2021-10-11) | 
 | parents | 58f48a8a202a | 
 | children |  | 
 
 | rev | line source | 
| bsw@1071 | 1 -- check if credentials (given by a user) are valid to bind to LDAP | 
| bsw@1071 | 2 -- -------------------------------------------------------------------------- | 
| bsw@1071 | 3 -- | 
| bsw@1071 | 4 -- arguments: | 
| bsw@1071 | 5 --   dn: The distinguished name to be used fo binding (string, required) | 
| bsw@1071 | 6 --   password: Password credentials (string, required) | 
| bsw@1071 | 7 -- | 
| bsw@1071 | 8 -- returns | 
| bsw@1071 | 9 --   success: true in cases of valid credentials | 
| bsw@1071 | 10 --            false in cases of invalid credentials | 
| bsw@1071 | 11 --            nil in undetermined cases, i.e. unavailable LDAP server | 
| bsw@1071 | 12 --   err: error code in case of errors, otherwise nil (string) | 
| bsw@1071 | 13 --   err2: error dependent extra error information | 
| bsw@1071 | 14 | 
| bsw@1071 | 15 function ldap.check_credentials(login, password) | 
| bsw@1071 | 16 | 
| bsw@1071 | 17   local filter = config.ldap.member.login_filter_map(login) | 
| bsw@1071 | 18   local ldap_entry, err, err2 = ldap.get_member_entry(filter) | 
| bsw@1071 | 19 | 
| bsw@1071 | 20   if err == "too_many_entries_found" then | 
| bsw@1071 | 21     return false, "invalid_credentials" | 
| bsw@1071 | 22   end | 
| bsw@1071 | 23 | 
| bsw@1071 | 24   if err then | 
| bsw@1071 | 25     return nil, err | 
| bsw@1071 | 26   end | 
| bsw@1071 | 27   if not ldap_entry then | 
| bsw@1071 | 28     return false, "invalid_credentials" | 
| bsw@1071 | 29   end | 
| bsw@1071 | 30 | 
| bsw@1071 | 31   local dn = ldap_entry.dn | 
| bsw@1071 | 32 | 
| bsw@1071 | 33   local ldap, err, err2 = ldap.bind(dn, password) | 
| bsw@1071 | 34 | 
| bsw@1071 | 35   if err == "invalid_credentials" then | 
| bsw@1071 | 36     return false, "invalid_credentials" | 
| bsw@1071 | 37   end | 
| bsw@1071 | 38 | 
| bsw@1071 | 39   if err then | 
| bsw@1071 | 40     return nil, err, err2 | 
| bsw@1071 | 41   end | 
| bsw@1071 | 42 | 
| bsw@1071 | 43   ldap:unbind() | 
| bsw@1071 | 44 | 
| bsw@1071 | 45   return ldap_entry | 
| bsw@1071 | 46 | 
| bsw@1071 | 47 end |