node package manager
Orgs are free. Discover, share, and reuse code in your team. Create a free org »



This module is an authentication plugin for cas-server. It provides a means to authenticate users against an Active Directory instance.


The module requires a configuration object matching:

  ad: { // required 
    searchUser: 'cn=jsmith,ou=users,dc=example,dc=com', // required 
    searchPass: 'jsmith_password', // required 
    ldapjs: {
      url: '(ldap|ldaps)://', // required 
      searchBase: 'dc=example,dc=com', // required 
      scope: 'base', // 'base', 'one', 'sub' default: 'sub' 
      attributes: [ 'dn', 'cn', 'sn', 'givenName', 'mail', 'memberOf' ] // optional 
  allowEmptyPass: false, // ldap returns "true" by default if a password is empty 
  attributesMap: { // optional 
    user: {}, // optional 
    group: {} // optional 


The ad property defines the configuration that will be passed to the underlying Active Directory module. This configuration is supplied to the AD module as-is.


The username the AD module will use to bind to the server for search operations.


The password for ad.searchUser.


An LDAP URL pointing to your Active Directory server. This property is required.


The DN under which all search queries will be performed. This includes authentications.


The search method to use. This module's default is 'sub'.


An array of attributes to include in search results. These will be used by cas-server as extra attributes during CAS 3.0 authentication. The default attribute set is:

[ 'dn', 'cn', 'sn', 'givenName', 'mail', 'memberOf' ]


The LDAP protocol allows empty passwords by default. In the case of empty password it will return a "success" response for the bind operation. In almost all cases, you do not want this to happen. But there may be a rare case that you do, so this is left as an option.


Allows you to rename the attributes returned in user searches. It should be an object where keys are the AD names and values are the new names. For example:

  sAMAccountName: 'firstName'

will rename the sAMAccountName property to firstName and leave all other property names alone.

Same as attributesMap.user but for group names.


MIT License