ldapauth-fork
A fork of node-ldapauth-fork that is in fact a fork of node-ldapauth - A simple node.js lib to authenticate against an LDAP server.
Differences with parent fork
Differs with node-ldapauth-fork in accounting ALL user's groups instead of only root ones: #a3b6310a
Usage
var LdapAuth = ;var options = url: 'ldaps://ldap.example.org:636' ...;var auth = options;auth;...auth;...auth
LdapAuth
inherits from EventEmitter
.
Install
npm install ldapauth-fork
LdapAuth
Config Options
Required ldapjs client options:
url
- LDAP server URL, eg. ldaps://ldap.example.org:663
ldapauth-fork options:
bindDN
- Admin connection DN, e.g. uid=myapp,ou=users,dc=example,dc=org. Optional. If not given at all, admin client is not bound. Giving empty string may result in anonymous bind when allowed.bindCredentials
- Password for bindDN.searchBase
- The base DN from which to search for users by username. E.g. ou=users,dc=example,dc=orgsearchFilter
- LDAP search filter with which to find a user by username, e.g. (uid={{username}}). Use the literal {{username}} to have the given username interpolated in for the LDAP search.searchAttributes
- Optional, default all. Array of attributes to fetch from LDAP server.bindProperty
- Optional, default dn. Property of the LDAP user object to use when binding to verify the password. E.g. name, emailsearchScope
- Optional, default sub. Scope of the search, one of base, one, or sub.
ldapauth-fork can look for valid users groups too. Related options:
groupSearchBase
- Optional. The base DN from which to search for groups. If defined, alsogroupSearchFilter
must be defined for the search to work.groupSearchFilter
- Optional. LDAP search filter for groups. Place literal {{dn}} in the filter to have it replaced by the property defined withgroupDnProperty
of the found user object. {{username}} is also available and will be replaced with the uid of the found user. This is useful for example to filter PosixGroups by memberUid. Optionally you can also assign a function instead. The found user is passed to the function and it should return a valid search filter for the group search.groupSearchAttributes
- Optional, default all. Array of attributes to fetch from LDAP server.groupDnProperty
- Optional, default dn. The property of user object to use in {{dn}} interpolation ofgroupSearchFilter
.groupSearchScope
- Optional, default sub.
Other ldapauth-fork options:
includeRaw
- Optional, default false. Set to true to add property_raw
containing the original buffers to the returned user object. Useful when you need to handle binary attributescache
- Optional, default false. If true, then up to 100 credentials at a time will be cached for 5 minutes.log
- Bunyan logger instance, optional. If given this will result in TRACE-level error logging for component:ldapauth. The logger is also passed forward to ldapjs.
Optional ldapjs options, see ldapjs documentation:
tlsOptions
- Needed for TLS connection. See Node.js documentationsocketPath
timeout
connectTimeout
idleTimeout
reconnect
strictDN
queueSize
queueTimeout
queueDisable
How it works
The LDAP authentication flow is usually:
- Bind the admin client using the given
bindDN
andbindCredentials
- Use the admin client to search for the user by substituting
{{username}}
from thesearchFilter
with given username - If user is found, verify the given password by trying to bind the user client with the found LDAP user object and given password
- If password was correct and group search options were provided, search for the groups of the user
express/connect basicAuth example
var basicAuth = ;var LdapAuth = ; var ldap = url: 'ldaps://ldap.example.org:636' bindDN: 'uid=myadminusername,ou=users,dc=example,dc=org' bindCredentials: 'mypassword' searchBase: 'ou=users,dc=example,dc=org' searchFilter: '(uid={{username}})' reconnect: true; var { resstatusCode = 401; res; res;} var { var credentials = ; if !credentials return ; ldap;};
License
MIT
ldapauth-fork
has been partially sponsored by Leonidas Ltd.