25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-12-22 17:28:25 +01:00

* src/ejabberd_auth_ldap.erl: Added ldap_local_filter option. This

option provide an optimisation to reduce LDAP directory load when
using attribute-based filters (EJAB-179).

SVN Revision: 723
This commit is contained in:
Mickaël Rémond 2007-02-13 10:01:58 +00:00
parent 5b4e116cfd
commit 1e03821f39
2 changed files with 41 additions and 1 deletions

View File

@ -1,3 +1,9 @@
2007-02-13 Mickael Remond <mickael.remond@process-one.net>
* src/ejabberd_auth_ldap.erl: Added ldap_local_filter option. This
option provide an optimisation to reduce LDAP directory load when
using attribute-based filters.
2007-02-04 Alexey Shchepin <alexey@sevcom.net> 2007-02-04 Alexey Shchepin <alexey@sevcom.net>
* src/web/ejabberd_http.erl: Added separate version of * src/web/ejabberd_http.erl: Added separate version of

View File

@ -54,6 +54,7 @@
uids, uids,
ufilter, ufilter,
sfilter, sfilter,
lfilter, %% Local filter (performed by ejabberd, not LDAP)
dn_filter, dn_filter,
dn_filter_attrs dn_filter_attrs
}). }).
@ -243,7 +244,7 @@ find_user_dn(User, State) ->
{attributes, DNAttrs}]) of {attributes, DNAttrs}]) of
#eldap_search_result{entries = [#eldap_entry{attributes = Attrs, #eldap_search_result{entries = [#eldap_entry{attributes = Attrs,
object_name = DN} | _]} -> object_name = DN} | _]} ->
is_valid_dn(DN, Attrs, State); dn_filter(DN, Attrs, State);
_ -> _ ->
false false
end; end;
@ -251,6 +252,15 @@ find_user_dn(User, State) ->
false false
end. end.
%% apply the dn filter and the local filter:
dn_filter(DN, Attrs, State) ->
%% Check if user is denied access by attribute value (local check)
case check_local_filter(Attrs, State) of
false -> false;
true -> is_valid_dn(DN, Attrs, State)
end.
%% Check that the DN is valid, based on the dn filter
is_valid_dn(DN, _, #state{dn_filter = undefined}) -> is_valid_dn(DN, _, #state{dn_filter = undefined}) ->
DN; DN;
@ -281,6 +291,28 @@ is_valid_dn(DN, Attrs, State) ->
false false
end. end.
%% The local filter is used to check an attribute in ejabberd
%% and not in LDAP to limit the load on the LDAP directory.
%% A local rule can be either:
%% {equal, {"accountStatus",["active"]}}
%% {notequal, {"accountStatus",["disabled"]}}
%% {ldap_local_filter, {notequal, {"accountStatus",["disabled"]}}}
check_local_filter(_Attrs, #state{lfilter = undefined}) ->
true;
check_local_filter(Attrs, #state{lfilter = LocalFilter}) ->
{Operation, FilterMatch} = LocalFilter,
local_filter(Operation, Attrs, FilterMatch).
local_filter(equal, Attrs, FilterMatch) ->
{Attr, Value} = FilterMatch,
case lists:keysearch(Attr, 1, Attrs) of
false -> false;
{value,{Attr,Value}} -> true;
_ -> false
end;
local_filter(notequal, Attrs, FilterMatch) ->
not local_filter(equal, Attrs, FilterMatch).
%%%---------------------------------------------------------------------- %%%----------------------------------------------------------------------
%%% Auxiliary functions %%% Auxiliary functions
%%%---------------------------------------------------------------------- %%%----------------------------------------------------------------------
@ -321,6 +353,7 @@ parse_options(Host) ->
undefined -> {undefined, undefined}; undefined -> {undefined, undefined};
{DNF, DNFA} -> {DNF, DNFA} {DNF, DNFA} -> {DNF, DNFA}
end, end,
LocalFilter = ejabberd_config:get_local_option({ldap_local_filter, Host}),
#state{host = Host, #state{host = Host,
eldap_id = Eldap_ID, eldap_id = Eldap_ID,
bind_eldap_id = Bind_Eldap_ID, bind_eldap_id = Bind_Eldap_ID,
@ -333,6 +366,7 @@ parse_options(Host) ->
uids = UIDs, uids = UIDs,
ufilter = UserFilter, ufilter = UserFilter,
sfilter = SearchFilter, sfilter = SearchFilter,
lfilter = LocalFilter,
dn_filter = DNFilter, dn_filter = DNFilter,
dn_filter_attrs = DNFilterAttrs dn_filter_attrs = DNFilterAttrs
}. }.