| Copyright | (C) 2015 Maciej Kazulak |
|---|---|
| License | BSD-style (see the file LICENSE) |
| Maintainer | Maciej Kazulak <kazulakm@gmail.com> |
| Stability | experimental |
| Portability | portable |
| Safe Haskell | None |
| Language | Haskell2010 |
Yesod.Auth.LdapNative
Description
Yesod LDAP authentication plugin using Haskell native LDAP client.
- authLdap :: YesodAuth m => LdapAuthConf -> AuthPlugin m
- authLdapWithForm :: (Yesod m, YesodAuth m) => LdapAuthConf -> (Route m -> WidgetT m IO ()) -> AuthPlugin m
- data LdapAuthConf
- data LdapAuthQuery = LdapAuthQuery Dn (Mod Search) (Text -> Filter) [Attr]
- mkLdapConf :: Text -> Text -> Text -> LdapAuthConf
- mkGroupQuery :: Text -> Text -> Text -> Text -> LdapAuthQuery
- setHost :: Host -> LdapAuthConf -> LdapAuthConf
- setPort :: PortNumber -> LdapAuthConf -> LdapAuthConf
- setUserQuery :: LdapAuthQuery -> LdapAuthConf -> LdapAuthConf
- setGroupQuery :: Maybe LdapAuthQuery -> LdapAuthConf -> LdapAuthConf
- setDebug :: Int -> LdapAuthConf -> LdapAuthConf
- data Host :: *
Usage
This module follows the service bind approach.
Basic configuration in Foundation.hs:
ldapConf :: LdapAuthConf
ldapConf =
setHost (Secure "127.0.0.1") $ setPort 636
$ mkLdapConf "cn=Manager,dc=example,dc=com" "v3ryS33kret" "ou=people,dc=example,dc=com"And add authLdap ldapConf to your authPlugins.
For plain connection (only for testing!):
setHost (Plain "127.0.0.1")
For additional group authentication use setGroupQuery:
ldapConf :: LdapAuthConf
ldapConf =
setGroupQuery (Just $ mkGroupQuery "ou=group,dc=example,dc=com" "cn" "it" "memberUid")
$ setHost (Secure "127.0.0.1") $ setPort 636
$ mkLdapConf "cn=yourapp,ou=services,dc=example,dc=com" "v3ryS33kret" "ou=people,dc=example,dc=com"In the example above user jdoe will only be successfully authenticated when:
- service bind using the provided account is successful
- exactly one entry with objectclass=posixAccount and uid=jdoe exists somewhere in ou=people,dc=example,dc=com
- at least one group exists with cn=it and memberUid=jdoe in ou=group,dc=example,dc=com
Fine control of the queries is available with setUserQuery and setGroupQuery.
When testing or during initial configuration consider using setDebug - set to 1 to enable. This will
give you exact error condition instead of "That is all we know". Never use it in production though as it
may reveal sensitive information.
Refer to 'ldap-client' documentation for details.
Plugin Configuration
authLdap :: YesodAuth m => LdapAuthConf -> AuthPlugin m Source
authLdapWithForm :: (Yesod m, YesodAuth m) => LdapAuthConf -> (Route m -> WidgetT m IO ()) -> AuthPlugin m Source
LDAP Configuration
data LdapAuthConf Source
LDAP configuration.
Details hidden on purpose.
Use mkLdapConf to create default config and functions below to adjust to taste.
data LdapAuthQuery Source
Query parameters.
Standard LDAP query parameters except filter is a function of the username.
Arguments
| :: Text | bindDn |
| -> Text | bindPw |
| -> Text | user query baseDn |
| -> LdapAuthConf |
Default LDAP configuration.
Arguments
| :: Text | baseDn |
| -> Text | group name attr |
| -> Text | group name |
| -> Text | member attr |
| -> LdapAuthQuery |
Default LDAP group query.
setHost :: Host -> LdapAuthConf -> LdapAuthConf Source
setPort :: PortNumber -> LdapAuthConf -> LdapAuthConf Source
setDebug :: Int -> LdapAuthConf -> LdapAuthConf Source
Enable exact error messages.
This will include LdapAuthError in alerts instead of a generic message. Do not use in production.