| Copyright | (C) 2015 Maciej Kazulak |
|---|---|
| License | BSD-style (see the file LICENSE) |
| Maintainer | Maciej Kazulak <kazulakm@gmail.com> |
| Stability | experimental |
| Portability | portable |
| Safe Haskell | None |
| Language | Haskell2010 |
Yesod.Auth.LdapNative
Description
Yesod LDAP authentication plugin using Haskell native LDAP client.
- authLdap :: YesodAuth m => LdapAuthConf -> AuthPlugin m
- authLdapWithForm :: (Yesod m, YesodAuth m) => LdapAuthConf -> (Route m -> WidgetT m IO ()) -> AuthPlugin m
- data LdapAuthConf
- data LdapAuthQuery = LdapAuthQuery Dn (Mod Search) (Text -> Filter) [Attr]
- data LdapCreds = LdapCreds {}
- mkLdapConf :: Maybe (Text, Text) -> Text -> LdapAuthConf
- mkGroupQuery :: Text -> Text -> Text -> Text -> LdapAuthQuery
- setHost :: Host -> LdapAuthConf -> LdapAuthConf
- setPort :: PortNumber -> LdapAuthConf -> LdapAuthConf
- setUserQuery :: LdapAuthQuery -> LdapAuthConf -> LdapAuthConf
- setGroupQuery :: Maybe LdapAuthQuery -> LdapAuthConf -> LdapAuthConf
- setDebug :: Int -> LdapAuthConf -> LdapAuthConf
- data Host :: *
Usage
This module follows the service bind approach.
Basic configuration in Foundation.hs:
ldapConf :: LdapAuthConf
ldapConf =
setHost (Secure "127.0.0.1") $ setPort 636
$ mkLdapConf (Just ("cn=Manager,dc=example,dc=com", "v3ryS33kret")) "ou=people,dc=example,dc=com"And add authLdap ldapConf to your authPlugins.
For plain connection (only for testing!):
setHost (Plain "127.0.0.1")
For additional group authentication use setGroupQuery:
ldapConf :: LdapAuthConf
ldapConf =
setGroupQuery (Just $ mkGroupQuery "ou=group,dc=example,dc=com" "cn" "it" "memberUid")
$ setHost (Secure "127.0.0.1") $ setPort 636
$ mkLdapConf (Just ("cn=yourapp,ou=services,dc=example,dc=com", "v3ryS33kret")) "ou=people,dc=example,dc=com"In the example above user jdoe will only be successfully authenticated when:
- service bind using the provided account is successful
- exactly one entry with objectclass=posixAccount and uid=jdoe exists somewhere in ou=people,dc=example,dc=com
- at least one group exists with cn=it and memberUid=jdoe in ou=group,dc=example,dc=com
Fine control of the queries is available with setUserQuery and setGroupQuery.
When testing or during initial configuration consider using setDebug - set to 1 to enable. This will
give you exact error condition instead of "That is all we know". Never use it in production though as it
may reveal sensitive information.
Refer to 'ldap-client' documentation for details.
Plugin Configuration
authLdap :: YesodAuth m => LdapAuthConf -> AuthPlugin m Source #
authLdapWithForm :: (Yesod m, YesodAuth m) => LdapAuthConf -> (Route m -> WidgetT m IO ()) -> AuthPlugin m Source #
LDAP Configuration
data LdapAuthConf Source #
LDAP configuration.
Details hidden on purpose.
Use mkLdapConf to create default config and functions below to adjust to taste.
data LdapAuthQuery Source #
Query parameters.
Standard LDAP query parameters except filter is a function of the username.
Arguments
| :: Maybe (Text, Text) | bindDn and bindPw |
| -> Text | user query baseDn |
| -> LdapAuthConf |
Default LDAP configuration.
Arguments
| :: Text | baseDn |
| -> Text | group name attr |
| -> Text | group name |
| -> Text | member attr |
| -> LdapAuthQuery |
Default LDAP group query.
setHost :: Host -> LdapAuthConf -> LdapAuthConf Source #
setPort :: PortNumber -> LdapAuthConf -> LdapAuthConf Source #
setUserQuery :: LdapAuthQuery -> LdapAuthConf -> LdapAuthConf Source #
setDebug :: Int -> LdapAuthConf -> LdapAuthConf Source #
Enable exact error messages.
This will include LdapAuthError in alerts instead of a generic message. Do not use in production.