Comments (11)
IMO this last answer is important enough to become part of the documentation. Also example with interpolation on property different than "dn" would be helpful.
from passport-ldapauth.
OK, this is now resolved with the update of ldapauth-fork
. The new options are:
groupDnProperty
: Optional, default 'dn'. The property of user object to use in{{dn}}
interpolation ofgroupSearchFilter
.groupSearchBase
: Optional. The base DN from which to search for groups. If defined, alsogroupSearchFilter
must be defined for the search to work.groupSearchScope
: Optional, defaultsub
.groupSearchFilter
: Optional. LDAP search filter for groups. The following literals are interpolated from the found user object:{{dn}}
the property configured withgroupDnProperty
.groupSearchAttributes
: Optional, default all. Array of attributes to fetch from LDAP server.
eg.
var opts = {
"server": {
"url": "ldaps://ldap.example.com:636",
"adminDn": "cn=LdapAdmin,dc=local",
"adminPassword": "LdapAdminPassword",
"searchBase": "dc=users,dc=local",
"searchFilter": "(&(objectClass=person)(sAMAccountName={{username}}))",
"searchAttributes": [
"dn", "cn", "givenName", "name", "memberOf", "sAMAccountName"
],
"groupSearchBase": "dc=groups,dc=local",
"groupSearchFilter": "(member={{dn}})",
"groupSearchAttributes": ["dn", "cn", "sAMAccountName"]
}
};
from passport-ldapauth.
Hi,
This does not really seem like authentication related thing. From what I got from the explanation this would seem more like something you would implement in the verify
callback.
from passport-ldapauth.
I've stumbled upon a similar need where memberof
will not do. I'm thinking about adding option to fetch groups and add them to the user
object so one could use those in verify
callback. This needs changes also to node-ldapauth-fork
.
from passport-ldapauth.
In fact this will be a good idea :)
from passport-ldapauth.
I added a 'group lookup' to ldap-auth-fork. Code is here: https://github.com/jjg77/node-ldapauth-fork/blob/ismemberof/lib/ldapauth.js.
The class takes 3 new opts: searchBaseGroups (required), searchFilterGroups (required), searchGroupAttributes (optional, but defaults to 'ismemberof')
Which can be configured in the passport LdapStrategy like this:
searchBaseGroups: 'ou=internal,o=company,c=us',
searchFilterGroups: '(&(uid={{username}})(objectclass=person)(ismemberof=*))',
The 'groups' get added to the user object and look like this:
[ 'cn=group1,ou=groups,o=company,c=us',
'cn=group2,ou=groups,o=company,c=us',
'cn=group3,ou=groups,o=company,c=us' ]
from passport-ldapauth.
Please can you give an update to the documentation, i'm kinda new to LDAP
from passport-ldapauth.
Looking at the implementation, would it not make more sense to let the user create a dynamic group search query?
/lib/ldapauth.js:291
var searchFilter = self.opts.groupSearchFilter.replace(/{{dn}}/g, user[self.opts.groupDnProperty]);
to be something like:
var searchFilter = self.opts.groupSearchFilter;
for( var property in user ) {
searchFilter = searchFilter.replace(new RegExp('{{'+property+"}}', 'g'), user[property]);
}
This way, one could also, for instance, retrieve the CN for a primary group (currently my customer has a set-up like this, in which the CN for the group cannot be retrieved by memberof):
"groupSearchFilter": "(|(memberUid={{uid}})(gidNumber={{gidNumber}}))",
from passport-ldapauth.
@UXabre I don't really like the idea of looping over all properties of users when probably most of the replace calls would do nothing. I would however accept a pull request that does not break current functionality, but would enable giving a function(user) { return "groupSearchFilter"; }
instead of just a string in groupSearchFilter
. Then you could construct any filter but would not needlessly loop over the properties, and those who are happy using just one keyword (like myself) could do as they've done now.
from passport-ldapauth.
I agree, would be pointless to loop everything but the general idea is indeed what you propose. I'll see to make a pull request sometime this week :-)
from passport-ldapauth.
Meanwhile I have created the pull request for this extension and can be found here: vesse/node-ldapauth-fork#36
from passport-ldapauth.
Related Issues (20)
- How can I tell when receiving the message Unauthorized if it for the LDAP bind credentials or the username I am searching for? HOT 1
- How to add SameSite strict to passport-Idapauth session cookie?
- Remove @types from package.json "dependencies" and place them in "devDependencies" HOT 1
- How to use dynamic ldap config options in a Nestjs app? HOT 1
- can we use passport-ldapauth for react app authentication
- using dynamic bindDN & bindCredentials from POST query HOT 2
- `errorhandler` called twice in strategy.js if LDAP server unreachable HOT 1
- To find which credentials is not valid.
- STARTTLS for passport-ldapauth HOT 1
- Comma in firstname or lastname fails user authentication.
- Real Error should also been handled as failed if multiple url provided
- Q: NestJs Passport Strategy implementation for LDAP/AD/Winauth
- LdapAuth and verifyCredentials
- Authentication not working if user cannot log on to domain server HOT 4
- Error when installing HOT 1
- Update to new issue template format
- Unable to attempt authenticate HOT 2
- passport-ldapauth does not allow caching of ldap responses by ldapauth-fork HOT 3
- got Unauthorized message but ldapsearch work HOT 2
- LDAP Search Fails Due To Spaces Inserted Into BaseDN HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from passport-ldapauth.