npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

ldapauth-extended

v1.0.2

Published

Authenticate against an LDAP server

Downloads

14

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tutu.semenovtutu.semenov

Keywords

authenticateldapauthenticationauth

Readme

ldapauth-fork

A fork of node-ldapauth-fork that is in fact a fork of node-ldapauth - A simple node.js lib to authenticate against an LDAP server.

Differences with parent fork

Differs with node-ldapauth-fork in accounting ALL user's groups instead of only root ones: #a3b6310a

Usage

var LdapAuth = require('ldapauth-fork');
var options = {
  url: 'ldaps://ldap.example.org:636',
  ...
};
var auth = new LdapAuth(options);
auth.on('error', function (err) {
  console.error('LdapAuth: ', err);
});
...
auth.authenticate(username, password, function(err, user) { ... });
...
auth.close(function(err) { ... })

LdapAuth inherits from EventEmitter.

Install

npm install ldapauth-fork

LdapAuth Config Options

Required ldapjs client options:

  • url - LDAP server URL, eg. ldaps://ldap.example.org:663

ldapauth-fork options:

  • bindDN - Admin connection DN, e.g. uid=myapp,ou=users,dc=example,dc=org. Optional. If not given at all, admin client is not bound. Giving empty string may result in anonymous bind when allowed.
  • bindCredentials - Password for bindDN.
  • searchBase - The base DN from which to search for users by username. E.g. ou=users,dc=example,dc=org
  • searchFilter - LDAP search filter with which to find a user by username, e.g. (uid={{username}}). Use the literal {{username}} to have the given username interpolated in for the LDAP search.
  • searchAttributes - Optional, default all. Array of attributes to fetch from LDAP server.
  • bindProperty - Optional, default dn. Property of the LDAP user object to use when binding to verify the password. E.g. name, email
  • searchScope - Optional, default sub. Scope of the search, one of base, one, or sub.

ldapauth-fork can look for valid users groups too. Related options:

  • groupSearchBase - Optional. The base DN from which to search for groups. If defined, also groupSearchFilter must be defined for the search to work.
  • groupSearchFilter - Optional. LDAP search filter for groups. Place literal {{dn}} in the filter to have it replaced by the property defined with groupDnProperty of the found user object. {{username}} is also available and will be replaced with the uid of the found user. This is useful for example to filter PosixGroups by memberUid. Optionally you can also assign a function instead. The found user is passed to the function and it should return a valid search filter for the group search.
  • groupSearchAttributes - Optional, default all. Array of attributes to fetch from LDAP server.
  • groupDnProperty - Optional, default dn. The property of user object to use in {{dn}} interpolation of groupSearchFilter.
  • groupSearchScope - Optional, default sub.

Other ldapauth-fork options:

  • includeRaw - Optional, default false. Set to true to add property _raw containing the original buffers to the returned user object. Useful when you need to handle binary attributes
  • cache - Optional, default false. If true, then up to 100 credentials at a time will be cached for 5 minutes.
  • log - Bunyan logger instance, optional. If given this will result in TRACE-level error logging for component:ldapauth. The logger is also passed forward to ldapjs.

Optional ldapjs options, see ldapjs documentation:

  • tlsOptions - Needed for TLS connection. See Node.js documentation
  • socketPath
  • timeout
  • connectTimeout
  • idleTimeout
  • reconnect
  • strictDN
  • queueSize
  • queueTimeout
  • queueDisable

How it works

The LDAP authentication flow is usually:

  1. Bind the admin client using the given bindDN and bindCredentials
  2. Use the admin client to search for the user by substituting {{username}} from the searchFilter with given username
  3. If user is found, verify the given password by trying to bind the user client with the found LDAP user object and given password
  4. If password was correct and group search options were provided, search for the groups of the user

express/connect basicAuth example

var basicAuth = require('basic-auth');
var LdapAuth = require('ldapauth-fork');

var ldap = new LdapAuth({
  url: 'ldaps://ldap.example.org:636',
  bindDN: 'uid=myadminusername,ou=users,dc=example,dc=org',
  bindCredentials: 'mypassword',
  searchBase: 'ou=users,dc=example,dc=org',
  searchFilter: '(uid={{username}})',
  reconnect: true
});

var rejectBasicAuth = function(res) {
  res.statusCode = 401;
  res.setHeader('WWW-Authenticate', 'Basic realm="Example"');
  res.end('Access denied');
}

var basicAuthMiddleware = function(req, res, next) {
  var credentials = basicAuth(req);
  if (!credentials) {
    return rejectBasicAuth(res);
  }

  ldap.authenticate(credentials.name, credentials.pass, function(err, user) {
    if (err) {
      return rejectBasicAuth(res);
    }

    req.user = user;
    next();
  });
};

License

MIT

ldapauth-fork has been partially sponsored by Leonidas Ltd.