You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ponymail.apache.org by se...@apache.org on 2019/04/18 15:36:25 UTC
[incubator-ponymail] branch master updated: Update for new LDAP
groups
This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-ponymail.git
The following commit(s) were added to refs/heads/master by this push:
new eefd1b6 Update for new LDAP groups
eefd1b6 is described below
commit eefd1b6a30960db6afa189352d8832528425ec59
Author: Sebb <se...@apache.org>
AuthorDate: Thu Apr 18 16:36:00 2019 +0100
Update for new LDAP groups
---
aaa_examples/aaa_with_ldap.lua | 34 ++++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/aaa_examples/aaa_with_ldap.lua b/aaa_examples/aaa_with_ldap.lua
index 4148bd6..2cff365 100644
--- a/aaa_examples/aaa_with_ldap.lua
+++ b/aaa_examples/aaa_with_ldap.lua
@@ -20,11 +20,15 @@
local JSON = require 'cjson'
-- Get a list of PMCs the user is a part of
-local function getPMCs(r, uid)
+local function getPMCs(uid)
local groups = {}
- local ldapdata = io.popen( ([[ldapsearch -x -LLL "(|(memberUid=%s)(member=uid=%s,ou=people,dc=apache,dc=org))" cn]]):format(uid,uid) )
+ -- Check for valid chars. Important since the uid is passed to the shell.
+ if not uid:match("^[-a-z0-9_.]+$") then
+ return groups
+ end
+ local ldapdata = io.popen( ([[ldapsearch -x -LLL -b ou=project,ou=groups,dc=apache,dc=org "(owner=uid=%s,ou=people,dc=apache,dc=org)" dn]]):format(uid) )
local data = ldapdata:read("*a")
- for match in data:gmatch("dn: cn=([-a-zA-Z0-9]+),ou=pmc,ou=committees,ou=groups,dc=apache,dc=org") do
+ for match in data:gmatch("dn: cn=([-a-zA-Z0-9]+),ou=project,ou=groups,dc=apache,dc=org") do
table.insert(groups, match)
end
return groups
@@ -32,23 +36,21 @@ end
-- Is $uid a member of the ASF?
-local function isMember(r, uid)
-
- local ldapdata = io.popen([[ldapsearch -x -LLL -b cn=member,ou=groups,dc=apache,dc=org]])
- local data = ldapdata:read("*a")
- for match in data:gmatch("memberUid: ([-a-z0-9_.]+)") do
- -- Found it?
- if match == uid then
- return true
- end
+local function isMember(uid)
+ -- Check for valid chars. Important since the uid is passed to the shell.
+ if not uid:match("^[-a-z0-9_.]+$") then
+ return false
end
- return false
+ local ldapdata = io.popen(([[ldapsearch -x -LLL -b cn=member,ou=groups,dc=apache,dc=org '(memberUid=%s)' dn]]):format(uid))
+ -- This returns a string starting with 'dn: cn=member,ou=groups,dc=apache,dc=org' or the empty string.
+ local data = ldapdata:read("*a")
+ return nil ~= data:match("dn: cn=member,ou=groups,dc=apache,dc=org")
end
-- Get a list of domains the user has private email access to (or wildcard if org member)
local function getRights(r, usr)
local uid = usr.credentials.uid
-
+
-- First, check the 30 minute cache
local NOWISH = math.floor(os.time() / 1800)
local USER_KEY = "aaa_rights_" .. NOWISH .. "_" .. uid
@@ -59,11 +61,11 @@ local function getRights(r, usr)
local rights = {}
-- Check if uid has member (admin) rights
- if usr.internal.admin or isMember(r, uid) then
+ if usr.internal.admin or isMember(uid) then
table.insert(rights, "*")
-- otherwise, get PMC list and construct array
else
- local list = getPMCs(r, uid)
+ local list = getPMCs(uid)
for k, v in pairs(list) do
table.insert(rights, v .. ".apache.org")
end