Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Passport Active Directory node.js

I have successfully assembled over a half dozen passport strategies (facebook, twitter, linkedin, instagram, tumblr, google, youtube) exchange account info with oauth1 and oauth2 token, into a single standalone auth server that saves session in Mongo and creates active profiles, with token/session/code/id fields and with many standardized atribute fields in SQL server using Tedious.js. These passport tools are excellent, thank you.

My last challenge for this project is not going as well, username and password into an active directory repository, to look up and auth in the same way. I have been trying over and over again passport-ldap, passport-ldapauth (based on ldapauth-gfork, based on ldapjs), passport-windowsauth and passport-kerberos, and seem to be getting related credential errors (deep in code, adding console.logs to try and figure out what I am getting syntactically wrong).

Are there any other resources and documentation to accessing LDAP/AD in Node.js using any strategy of Passport? The DN versus ou syntax and where the account access user (have a service account specifically set up to access the AD) for the repository versus the account user you are looking up and the filters make it very difficult to find anything error related to figure out where I am going wrong. Do you match to sAMAccountName or uid? I keep consistently getting "unauthorized" errors.

Unlike the other 70 passport strategies, where the doc and examples are clear and just work, not so much for ad/ldap passport. Can anyone point me to a good test, doc or setup that works well specifically with Passport.js and Active Directory?

like image 900
user3249956 Avatar asked Jan 29 '14 18:01

user3249956


People also ask

What is the Passport in node JS?

Passport is Express-compatible authentication middleware for Node. js. Passport's sole purpose is to authenticate requests, which it does through an extensible set of plugins known as strategies.

Which is better JWT or Passport?

JSON Web Token and Passport can be primarily classified as "User Management and Authentication" tools. JSON Web Token and Passport are both open source tools. It seems that Passport with 15.9K GitHub stars and 936 forks on GitHub has more adoption than JSON Web Token with 2.59K GitHub stars and 259 GitHub forks.

Why do I need Passport for Node JS?

Passport is authentication middleware for Node.js. Extremely flexible and modular, Passport can be unobtrusively dropped in to any Express-based web application. A comprehensive set of strategies support authentication using a username and password, Facebook, Twitter, and more.

What does Passport authenticate () do?

In this route, passport. authenticate() is middleware which will authenticate the request. By default, when authentication succeeds, the req. user property is set to the authenticated user, a login session is established, and the next function in the stack is called.


2 Answers

While this is an old question I thought, as the maintainer of passport-ldapauth, I should clarify LDAP authentication a little.

LDAP authentication is different from those strategies you've used before. Those OAuth strategies can really be configured only one way - provide the required options, and then it works. This part is the same with LDAP, but the actual values to the options differ from one server to the other. The questions you are asking, like do you match to sAMAccountName or uid, are really up to you and the LDAP server.

General things like what does a DN look like, what is search base, or what is the syntax of search filter have been defined extensively in RFCs. If one is not familiar with the basics it can be difficult to get the authentication to work. Often the AD/LDAP server maintainer input is needed to have proper settings, eg. what search base allows finding all required users but does not cause unnecessary load on the LDAP server.

LDAP authentication usually works in three steps:

  1. Using a service account (in passport-ldapauth, bindDn and bindCredentials), bind against the LDAP server.
  2. Once bound, perform the configured search substituting the placeholder with user provided username. This determines if the given username is found from the LDAP server.
  3. Use the DN of the search result, together with user provided password, and bind against the LDAP server. This verifies the password.

If you wish to have users login using their SAMAccountName, your search filter could be eg. (sAMAccountName={{username}}). If you wish that the users use uid, the filter could be just (uid={{username}}). If you want to enable both, use (|(sAMAccountName={{username}})(uid={{username}})). The search filter syntax is specified in RFC 4515.

like image 189
vesse Avatar answered Sep 28 '22 23:09

vesse


I was able to authenticate to AD via passport-ldapauth. One key was knowing to use server opts which are different than in some LDAP examples online

searchBase: 'ou=Accounts,dc=mydomain,dc=com'
searchFilter: '(sAMAccountName={{username}})'  // {{username}} comes from the html form.

You also need to know if you need ldaps and TLS or not. (I did not) I spent a good amount of time digging through ldapjs.org.

like image 30
Michael Oakley Avatar answered Sep 28 '22 23:09

Michael Oakley