Copyright | (C) 2015 Maciej Kazulak |
---|---|
License | BSD-style (see the file LICENSE) |
Maintainer | Maciej Kazulak <kazulakm@gmail.com> |
Stability | experimental |
Portability | portable |
Safe Haskell | None |
Language | Haskell2010 |
Yesod LDAP authentication plugin using Haskell native LDAP client.
- authLdap :: YesodAuth m => LdapAuthConf -> AuthPlugin m
- authLdapWithForm :: (Yesod m, YesodAuth m) => LdapAuthConf -> (Route m -> WidgetT m IO ()) -> AuthPlugin m
- data LdapAuthConf
- data LdapAuthQuery = LdapAuthQuery Dn (Mod Search) (Text -> Filter) [Attr]
- data LdapCreds = LdapCreds {}
- mkLdapConf :: Maybe (Text, Text) -> Text -> LdapAuthConf
- mkGroupQuery :: Text -> Text -> Text -> Text -> LdapAuthQuery
- setHost :: Host -> LdapAuthConf -> LdapAuthConf
- setPort :: PortNumber -> LdapAuthConf -> LdapAuthConf
- setUserQuery :: LdapAuthQuery -> LdapAuthConf -> LdapAuthConf
- setGroupQuery :: Maybe LdapAuthQuery -> LdapAuthConf -> LdapAuthConf
- setDebug :: Int -> LdapAuthConf -> LdapAuthConf
- data Host :: *
Usage
This module follows the service bind approach.
Basic configuration in Foundation.hs:
ldapConf :: LdapAuthConf ldapConf = setHost (Secure "127.0.0.1") $ setPort 636 $ mkLdapConf (Just ("cn=Manager,dc=example,dc=com", "v3ryS33kret")) "ou=people,dc=example,dc=com"
And add authLdap ldapConf to your authPlugins.
For plain connection (only for testing!):
setHost (Plain "127.0.0.1")
For additional group authentication use setGroupQuery
:
ldapConf :: LdapAuthConf ldapConf = setGroupQuery (Just $ mkGroupQuery "ou=group,dc=example,dc=com" "cn" "it" "memberUid") $ setHost (Secure "127.0.0.1") $ setPort 636 $ mkLdapConf (Just ("cn=yourapp,ou=services,dc=example,dc=com", "v3ryS33kret")) "ou=people,dc=example,dc=com"
In the example above user jdoe will only be successfully authenticated when:
- service bind using the provided account is successful
- exactly one entry with objectclass=posixAccount and uid=jdoe exists somewhere in ou=people,dc=example,dc=com
- at least one group exists with cn=it and memberUid=jdoe in ou=group,dc=example,dc=com
Fine control of the queries is available with setUserQuery
and setGroupQuery
.
When testing or during initial configuration consider using setDebug
- set to 1 to enable. This will
give you exact error condition instead of "That is all we know". Never use it in production though as it
may reveal sensitive information.
Refer to 'ldap-client' documentation for details.
Plugin Configuration
authLdap :: YesodAuth m => LdapAuthConf -> AuthPlugin m Source #
authLdapWithForm :: (Yesod m, YesodAuth m) => LdapAuthConf -> (Route m -> WidgetT m IO ()) -> AuthPlugin m Source #
LDAP Configuration
data LdapAuthConf Source #
LDAP configuration.
Details hidden on purpose.
Use mkLdapConf
to create default config and functions below to adjust to taste.
data LdapAuthQuery Source #
Query parameters.
Standard LDAP query parameters except filter is a function of the username.
:: Maybe (Text, Text) | bindDn and bindPw |
-> Text | user query baseDn |
-> LdapAuthConf |
Default LDAP configuration.
:: Text | baseDn |
-> Text | group name attr |
-> Text | group name |
-> Text | member attr |
-> LdapAuthQuery |
Default LDAP group query.
setHost :: Host -> LdapAuthConf -> LdapAuthConf Source #
setPort :: PortNumber -> LdapAuthConf -> LdapAuthConf Source #
setUserQuery :: LdapAuthQuery -> LdapAuthConf -> LdapAuthConf Source #
setDebug :: Int -> LdapAuthConf -> LdapAuthConf Source #
Enable exact error messages.
This will include LdapAuthError in alerts instead of a generic message. Do not use in production.