Chapril/xmpp.chapril.org-ejabberd
26
1
Fork 0
mirror of https://github.com/processone/ejabberd.git synced 2025-01-03 18:02:28 +01:00
Code Releases Activity

ldap_dn_filter option is documented; now fetching only needed attributes in LDAP search requests (EJAB-1204)

Browse Source
This commit is contained in:
Evgeniy Khramtsov 2010-03-08 16:44:14 +09:00
parent 22d490486a
commit 606860e1cc
2 changed files with 38 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/guide.tex
View File

@ -2238,7 +2238,22 @@ You can authenticate users against an LDAP directory. Available options are:
not forget to close brackets and do not use superfluous whitespaces. Also you not forget to close brackets and do not use superfluous whitespaces. Also you
\emph{must not} use \option{ldap\_uidattr} attribute in filter because this \emph{must not} use \option{ldap\_uidattr} attribute in filter because this
attribute will be substituted in LDAP filter automatically. attribute will be substituted in LDAP filter automatically.
\titem{\{ldap\_dn\_filter, \{ Filter, FilterAttrs \}\}}\ind{options!ldap\_dn\_filter}
This filter is applied on the results returned by the main filter. This filter
performs additional LDAP lookup to make the complete result. This is useful
when you are unable to define all filter rules in \term{ldap\_filter}. You
can define \term{"\%u"}, \term{"\%d"}, \term{"\%s"} and \term{"\%D"} pattern
variables in Filter: \term{"\%u"} is replaced by a user's part of a JID,
\term{"\%d"} is replaced by the corresponding domain (virtual host),
all \term{"\%s"} variables are consecutively replaced by values of FilterAttrs
attributes and \term{"\%D"} is replaced by Distinguished Name. By default
\term{ldap\_dn\_filter} is undefined.
Example:
\begin{verbatim}
{ldap_dn_filter, {"(&(name=%s)(owner=%D)(user=%u@%d))", ["sn"]}}.
\end{verbatim}
Since this filter makes additional LDAP lookups, use it only in the
last resort: try to define all filter rules in \term{ldap\_filter} if possible.
\titem{\{ldap\_local\_filter, Filter\}}\ind{options!ldap\_local\_filter} \titem{\{ldap\_local\_filter, Filter\}}\ind{options!ldap\_local\_filter}
If you can't use \term{ldap\_filter} due to performance reasons If you can't use \term{ldap\_filter} due to performance reasons
(the LDAP server has many users registered), (the LDAP server has many users registered),

31
src/ejabberd_auth_ldap.erl
View File

@ -217,13 +217,13 @@ get_vh_registered_users_ldap(Server) ->
UIDs = State#state.uids, UIDs = State#state.uids,
Eldap_ID = State#state.eldap_id, Eldap_ID = State#state.eldap_id,
Server = State#state.host, Server = State#state.host,
SortedDNAttrs = eldap_utils:usort_attrs(State#state.dn_filter_attrs), ResAttrs = result_attrs(State),
case eldap_filter:parse(State#state.sfilter) of case eldap_filter:parse(State#state.sfilter) of
{ok, EldapFilter} -> {ok, EldapFilter} ->
case eldap_pool:search(Eldap_ID, [{base, State#state.base}, case eldap_pool:search(Eldap_ID, [{base, State#state.base},
{filter, EldapFilter}, {filter, EldapFilter},
{timeout, ?LDAP_SEARCH_TIMEOUT}, {timeout, ?LDAP_SEARCH_TIMEOUT},
{attributes, SortedDNAttrs}]) of {attributes, ResAttrs}]) of
#eldap_search_result{entries = Entries} -> #eldap_search_result{entries = Entries} ->
lists:flatmap( lists:flatmap(
fun(#eldap_entry{attributes = Attrs, fun(#eldap_entry{attributes = Attrs,
@ -269,15 +269,16 @@ handle_call(_Request, _From, State) ->
{reply, bad_request, State}. {reply, bad_request, State}.
find_user_dn(User, State) -> find_user_dn(User, State) ->
DNAttrs = eldap_utils:usort_attrs(State#state.dn_filter_attrs), ResAttrs = result_attrs(State),
case eldap_filter:parse(State#state.ufilter, [{"%u", User}]) of case eldap_filter:parse(State#state.ufilter, [{"%u", User}]) of
{ok, Filter} -> {ok, Filter} ->
case eldap_pool:search(State#state.eldap_id, [{base, State#state.base}, case eldap_pool:search(State#state.eldap_id,
{filter, Filter}, [{base, State#state.base},
{attributes, DNAttrs}]) of {filter, Filter},
{attributes, ResAttrs}]) of
#eldap_search_result{entries = [#eldap_entry{attributes = Attrs, #eldap_search_result{entries = [#eldap_entry{attributes = Attrs,
object_name = DN} | _]} -> object_name = DN} | _]} ->
dn_filter(DN, Attrs, State); dn_filter(DN, Attrs, State);
_ -> _ ->
false false
end; end;
@ -346,6 +347,14 @@ local_filter(equal, Attrs, FilterMatch) ->
local_filter(notequal, Attrs, FilterMatch) -> local_filter(notequal, Attrs, FilterMatch) ->
not local_filter(equal, Attrs, FilterMatch). not local_filter(equal, Attrs, FilterMatch).
result_attrs(#state{uids = UIDs, dn_filter_attrs = DNFilterAttrs}) ->
lists:foldl(
fun({UID}, Acc) ->
[UID | Acc];
({UID, _}, Acc) ->
[UID | Acc]
end, DNFilterAttrs, UIDs).
%%%---------------------------------------------------------------------- %%%----------------------------------------------------------------------
%%% Auxiliary functions %%% Auxiliary functions
%%%---------------------------------------------------------------------- %%%----------------------------------------------------------------------
@ -388,8 +397,12 @@ parse_options(Host) ->
LDAPBase = ejabberd_config:get_local_option({ldap_base, Host}), LDAPBase = ejabberd_config:get_local_option({ldap_base, Host}),
{DNFilter, DNFilterAttrs} = {DNFilter, DNFilterAttrs} =
case ejabberd_config:get_local_option({ldap_dn_filter, Host}) of case ejabberd_config:get_local_option({ldap_dn_filter, Host}) of
undefined -> {undefined, undefined}; undefined ->
{DNF, DNFA} -> {DNF, DNFA} {undefined, []};
{DNF, undefined} ->
{DNF, []};
{DNF, DNFA} ->
{DNF, DNFA}
end, end,
LocalFilter = ejabberd_config:get_local_option({ldap_local_filter, Host}), LocalFilter = ejabberd_config:get_local_option({ldap_local_filter, Host}),
#state{host = Host, #state{host = Host,