UNPKG

haraka-plugin-ldap

Version:

Haraka plugin for LDAP

github.com/haraka/haraka-plugin-ldap

haraka/haraka-plugin-ldap

128 lines (109 loc) 3.92 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
'use strict'; const util = require('util'); exports._verify_user = (userdn, passwd, cb, connection) => { const pool = connection.server.notes.ldappool; function onError(err) { connection.logerror( `Could not verify userdn and password: ${util.inspect(err)}`, ); cb(false); } if (!pool) return onError('LDAP Pool not found'); pool._create_client((err, client) => { if (err) return onError(err); client.bind(userdn, passwd, (err2) => { client.unbind(); if (err2) { connection.logdebug( `Login failed, could not bind ${util.inspect(userdn)}: ${util.inspect(err)}`, ); return cb(false); } cb(true); }); }); }; exports._get_search_conf = (user, connection) => { const pool = connection.server.notes.ldappool; const filter = pool.config.authn.searchfilter || '(&(objectclass=*)(uid=%u))'; return { basedn: pool.config.authn.basedn || pool.config.basedn, filter: filter.replace(/%u/g, user), scope: pool.config.authn.scope || pool.config.scope, attributes: ['dn'], }; }; exports._get_dn_for_uid = function (uid, callback, connection) { const pool = connection.server.notes.ldappool; function onError(err) { connection.logerror(`Could not get DN for UID ${uid}`); connection.logdebug(`: ${util.inspect(err)}`); callback(err); } if (!pool) return onError('LDAP Pool not found!'); pool.get((err, client) => { if (err) return onError(err); const config = this._get_search_conf(uid, connection); connection.logdebug(`Getting DN for uid: ${util.inspect(config)}`); try { client.search(config.basedn, config, (search_error, res) => { if (search_error) onError(search_error); const userdn = []; res.on('searchEntry', (entry) => { userdn.push(entry.object.dn); }); res.on('error', onError); res.on('end', () => { callback(null, userdn); }); }); } catch (e) { onError(e); } }); }; exports.check_plain_passwd = function (connection, user, passwd, cb) { if (Array.isArray(connection.server.notes.ldappool.config.authn.dn)) { return this.check_plain_passwd_dn(connection, user, passwd, cb); } connection.logdebug(`Looking up user ${util.inspect(user)} by search.`); this._get_dn_for_uid( user, (err, userdn) => { if (err) { connection.logerror( `Could not use LDAP for password check: ${util.inspect(err)}`, ); cb(false); } else if (userdn.length !== 1) { connection.logdebug( `None or nonunique LDAP search result for user ${util.inspect(user)}, access denied`, ); cb(false); } else { this._verify_user(userdn[0], passwd, cb, connection); } }, connection, ); }; exports.check_plain_passwd_dn = function (connection, user, passwd, cb) { connection.logdebug(`Looking up user ${util.inspect(user)} by DN.`); let iter = 0; let cbCalled = false; function cbOnce(result) { iter++; if (cbCalled) return; if (result) { cbCalled = true; return cb(result); } if (iter === connection.server.notes.ldappool.config.authn.dn.length) { cbCalled = true; cb(result); } } for (const dn of connection.server.notes.ldappool.config.authn.dn) { this._verify_user(dn.replace(/%u/g, user), passwd, cbOnce, connection); } };