Learn about our RFC process, Open RFC meetings & more.Join in the discussion! »


4.2.0 • Public • Published

verdaccio-ldap Build Status Codacy Badge Known Vulnerabilities

verdaccio-ldap is a fork of sinopia-ldap. It aims to keep backwards compatibility with sinopia, while keeping up with npm changes.


$ npm install verdaccio
$ npm install verdaccio-ldap

A detailed example of the verdaccio-ldap plugin + OpenLDAP server packed in Docker for v3 is available here and for v4 here.

Read a guide how to migrate from Verdaccio v3 to v4 using LDAP plugin.


Add to your config.yaml:

    type: ldap
    # Only required if you are fetching groups that do not have a "cn" property. defaults to "cn" 
    groupNameAttribute: "ou"
    # Optional, default false. 
      # max credentials to cache (default to 100 if cache is enabled) 
      size: 100
      # cache expiration in seconds (default to 300 if cache is enabled) 
      expire: 300
      url: "ldap://ldap.example.com"
      # Only required if you need auth to bind 
      adminDn: "cn=admin,dc=example,dc=com"
      adminPassword: "admin"
      # Search base for users 
      searchBase: "ou=People,dc=example,dc=com"
      searchFilter: "(uid={{username}})"
      # If you are using groups, this is also needed 
      groupDnProperty: 'cn'
      groupSearchBase: 'ou=groups,dc=myorg,dc=com'
      # If you have memberOf support on your ldap 
      searchAttributes: ['*', 'memberOf']
      # Else, if you don't (use one or the other): 
      # groupSearchFilter: '(memberUid={{dn}})' 
      # Optional 
      reconnect: true

LDAP Admin Password

If you run this plugin in k8s, you may want to set password by env with secretRef. You can use LDAP_ADMIN_PASS to set ldap admin password, it will override the one in config.yaml.

For plugin writers

It's called as:

require('verdaccio-ldap')(config, stuff)


  • config - module's own config
  • stuff - collection of different internal verdaccio objects
    • stuff.config - main config
    • stuff.logger - logger

This should export two functions:

  • adduser(user, password, cb)

    It should respond with:

    • cb(err) in case of an error (error will be returned to user)
    • cb(null, false) in case registration is disabled (next auth plugin will be executed)
    • cb(null, true) in case user registered successfully

    It's useful to set err.status property to set http status code (e.g. err.status = 403).

  • authenticate(user, password, cb)

    It should respond with:

    • cb(err) in case of a fatal error (error will be returned to user, keep those rare)
    • cb(null, false) in case user not authenticated (next auth plugin will be executed)
    • cb(null, [groups]) in case user is authenticated

    Groups is an array of all users/usergroups this user has access to. You should probably include username itself here.


npm i verdaccio-ldap

DownloadsWeekly Downloads






Unpacked Size

9.92 kB

Total Files


Last publish


  • avatar