LDAP user group/role checking about passport-ldapauth HOT 11 CLOSED

IMO this last answer is important enough to become part of the documentation. Also example with interpolation on property different than "dn" would be helpful.

from passport-ldapauth.

OK, this is now resolved with the update of ldapauth-fork. The new options are:

• groupDnProperty: Optional, default 'dn'. The property of user object to use in {{dn}} interpolation of groupSearchFilter.
• groupSearchBase: Optional. The base DN from which to search for groups. If defined, also groupSearchFilter must be defined for the search to work.
• groupSearchScope: Optional, default sub.
• groupSearchFilter: Optional. LDAP search filter for groups. The following literals are interpolated from the found user object: {{dn}} the property configured with groupDnProperty.
• groupSearchAttributes: Optional, default all. Array of attributes to fetch from LDAP server.

eg.

var opts = {
  "server": {
    "url": "ldaps://ldap.example.com:636",
    "adminDn": "cn=LdapAdmin,dc=local",
    "adminPassword": "LdapAdminPassword",
    "searchBase": "dc=users,dc=local",
    "searchFilter": "(&(objectClass=person)(sAMAccountName={{username}}))",
    "searchAttributes": [
      "dn", "cn", "givenName", "name", "memberOf", "sAMAccountName"
    ],
    "groupSearchBase": "dc=groups,dc=local",
    "groupSearchFilter": "(member={{dn}})",
    "groupSearchAttributes": ["dn", "cn", "sAMAccountName"]
  }
};

from passport-ldapauth.

Hi,

This does not really seem like authentication related thing. From what I got from the explanation this would seem more like something you would implement in the verify callback.

from passport-ldapauth.

I've stumbled upon a similar need where memberof will not do. I'm thinking about adding option to fetch groups and add them to the user object so one could use those in verify callback. This needs changes also to node-ldapauth-fork.

from passport-ldapauth.

In fact this will be a good idea :)

from passport-ldapauth.

I added a 'group lookup' to ldap-auth-fork. Code is here: https://github.com/jjg77/node-ldapauth-fork/blob/ismemberof/lib/ldapauth.js.

The class takes 3 new opts: searchBaseGroups (required), searchFilterGroups (required), searchGroupAttributes (optional, but defaults to 'ismemberof')

Which can be configured in the passport LdapStrategy like this:

searchBaseGroups: 'ou=internal,o=company,c=us',
searchFilterGroups: '(&(uid={{username}})(objectclass=person)(ismemberof=*))',

The 'groups' get added to the user object and look like this:

[ 'cn=group1,ou=groups,o=company,c=us',
  'cn=group2,ou=groups,o=company,c=us',
  'cn=group3,ou=groups,o=company,c=us' ]

from passport-ldapauth.

Please can you give an update to the documentation, i'm kinda new to LDAP

from passport-ldapauth.

Looking at the implementation, would it not make more sense to let the user create a dynamic group search query?

/lib/ldapauth.js:291

 var searchFilter = self.opts.groupSearchFilter.replace(/{{dn}}/g, user[self.opts.groupDnProperty]);

to be something like:

var searchFilter = self.opts.groupSearchFilter;

for( var property in user ) {
   searchFilter = searchFilter.replace(new RegExp('{{'+property+"}}', 'g'), user[property]);
}

This way, one could also, for instance, retrieve the CN for a primary group (currently my customer has a set-up like this, in which the CN for the group cannot be retrieved by memberof):

"groupSearchFilter": "(|(memberUid={{uid}})(gidNumber={{gidNumber}}))",

from passport-ldapauth.

@UXabre I don't really like the idea of looping over all properties of users when probably most of the replace calls would do nothing. I would however accept a pull request that does not break current functionality, but would enable giving a function(user) { return "groupSearchFilter"; } instead of just a string in groupSearchFilter. Then you could construct any filter but would not needlessly loop over the properties, and those who are happy using just one keyword (like myself) could do as they've done now.

from passport-ldapauth.

I agree, would be pointless to loop everything but the general idea is indeed what you propose. I'll see to make a pull request sometime this week :-)

from passport-ldapauth.

Meanwhile I have created the pull request for this extension and can be found here: vesse/node-ldapauth-fork#36

from passport-ldapauth.