allow specifying additional filter to LDAP, and allow customization of uid attribute format

[AceJohnny]

authreg_ldap patch.

This adds <uidattr_format> and <filter> configuration options to the c2s ldap configuration section, to enable finer configuration of LDAP search.

the <filter> option allows you to specify an LDAP filter string which will be appended (AND) to the main (uid=$USERNAME) search string. This is useful if you wish to restrict your search in special ways, typically if you organise your user groups by adding an attribute rather than putting them in a subtree. For example, putting "(objectClass=inetorgerson)" in filter will result in sending "(&(uid=$USERNAME)(objectClass=inetorgerson))" to the LDAP server.

the <uidattr_format> option allows you to customise the UID Attribute format further than with <append_realm>. You can specify a string containing at least '%u' and either '%r' or '%d'. '%u' will be replaced by the username, and '%r' or '%d' will be replaced by the jabber server's realm/domain. I couldn't decide whether to use only %r or %d, so I included both. You must not use '%r' and '%d' at the same time. Warning: this configuration string is parsed for %u and %r or %d, then passed as a format string to snprintf(). Any other printf-style format strings in <uidattr_format> will break your system, burn your house and kill your dog.

Legacy compatibility: - not specifying <uidattr-format> is the same as specifying '%u', and the LDAP filter string will contain ($uidattr=$username) - <append-realm/> can be replaced by putting <uidattr_format> to '%u@%d' or '%u@%r', and the LDAP filter string will contain ($uidattr=$username@$realm), thus, <append-realm) is deprecated.

Why this patch? I needed to search on my user's 'mail' LDAP attribute which contained the full 'username@ldapdomain string'. Except the domain in LDAP was different than that of my jabber server, and couldn't change either. I thus needed to alter the LDAP search string in the server, by setting <uidattr>=mail and <uidattr_format>=%u@ldapdomain

Why include both %r and %d as possible options in "uidattr_format"? The Jabberd2 code and doc calls the "domain" part of a JID the "realm", possibly to highlight the nuance there is between the internal jabber notion and what we commonly use on the internet. However, it's been my experience that the realm is always a proper inet domain. %r would be easier to remember for those who are used to thinking about "realms", but I believe most admins think of it as a "domain", and would prefer %d

[smoku]

Regarding the distinction between the 'realm' and 'domain'.

The part after the @ in JID is called domainpart.

The 'realm' exist only in 'authentication realm'. You may use different authentication ID that exist in the given authentication realm, than your authorization ID - the JID you are able to use.

Most of the time AuthNID == AuthZID == JID, but there are use cases when it's not. Example: LDAP based authentication ;-)

In case of jabberd, 'realm' is used only in C2S context, during user authentication. Once you got JID bound, you have your domainpart.

[AceJohnny]

Updated patch with Haralrd's comments on ML (http://lists.xiaoka.com/pipermail/jabberd2-xiaoka.com/2007q4/000593.html) - replace <uidattr_format> and <filter> elements with one <query> element (this deprecates the <uid> and <append-realm> elements)

- No longer accept %d wildcard in <query>

[AceJohnny]

patch v2.0

[smoku]

Patch merged in r502:504.