npm i @openinc/parse-server-ldap
Init LDAP plugin in a js file that will be loaded by Cloud Code. Example:
const init = async () => {
console.log("Init LDAP Plugin.");
const initLDAP = require("@openinc/parse-server-ldap");
initLDAP(Parse);
};
module.exports.init = init;- Before using you should create a column (type string) in the _User table in parse. The name of the column should be equal to
PARSE_LDAP_PARSE_LDAP_DN_ATTRIBUTE. - When using a docker environment and docker-parse-server-opendash you have to add a env variable to the docker compose for service parse
OPENINC_PARSE_ADDITIONAL_PACKAGES: '@openinc/parse-server-ldap'- Refer to https://github.com/open-inc/docker-parse-server-opendash
- Add the env variables and volumes to load custom cloud code when running a docker environment
- Add to environment section in parse service:
OPENINC_PARSE_CLOUDCODE_AUTOLOAD_DIR: './cloud-custom' - Add to volumes section in parse service:
./cloud:/usr/src/app/cloud-custom
- Add to environment section in parse service:
- Configuration is done using environment variables:
-
PARSE_LDAP_LOGIN_SEARCH_SCOPE: You probably want to set this to 'sub' otherwise onlyPARSE_LDAP_LOGIN_BIND_DNwill be searched but not its subordinates -
PARSE_LDAP_FUNCTION_NAME(default: "ldap_login") will be passed toParse.Cloud.define(PARSE_LDAP_FUNCTION_NAME) -
PARSE_LDAP_URL(default: "ldap://127.0.0.1:389") should be set to the LDAP server connection URL -
PARSE_LDAP_BASEPATHshould be set to a base path, i.e.:"dc=example,dc=com" -
PARSE_LDAP_LOGIN_BIND_DNmust be set to a DN which will identify the user, i.e.:"uid=%user%,ou=Users,%basepath%".-
%user%will be replaced by the username the user is providing to the Cloud Code Function -
%userWithoutDomain%same as%user%, but will strip the domain part, i.e.:domain.com\usernamewill becomeusername -
%basepath%will be replaced by the value ofPARSE_LDAP_BASEPATH
-
-
Typically, users are authenticated (bind-method) using a service user. The service user searches for the username/email address provided by the login form, returns retrieved information, then the user is authenticated using the password. In most cases you want to map to the DN of a user. In this case, do not set PARSE_LDAP_LOGIN_BIND_MAP_ATTRIBUTE and PARSE_LDAP_LOGIN_BIND_MAP_TO. The following steps explain this process in detail:
-
The service user will bind to LDAP.
-
PARSE_LDAP_SERVICE_USER_DNDN for the service user -
PARSE_LDAP_SERVICE_USER_PWPW for the service user
-
-
LDAP search will be executed.
-
PARSE_LDAP_LOGIN_BIND_DNas path -
PARSE_LDAP_LOGIN_BIND_MAP_FILTERas filter (i.e.:"(mail=%user%)"or(&(objectClass=user)(sAMAccountName=%user%))or anything you want to filter about)-
%user%will be replaced by the username the user entered -
%userWithoutDomain%same as%user%but will strip the domain part, i.e.:domain.com\usernamewill becomeusername -
%basepath%will be replaced by the value ofPARSE_LDAP_BASEPATH
-
-
-
An output parameter will be selected from the first result.
-
PARSE_LDAP_LOGIN_BIND_MAP_ATTRIBUTE(default: "dn")
-
-
An attribute is selected from the output provided by the env variable.
-
PARSE_LDAP_LOGIN_BIND_MAP_TO(default: "%output%")-
%output%will be replaced by the output parameter described above -
%user%will be replaced by the username the user is providing to the Cloud Code Function -
%userWithoutDomain%same as%user%, but will strip the domain part, i.e.:domain.com\usernamewill becomeusername -
%basepath%will be replaced by the value ofPARSE_LDAP_BASEPATH
-
-
-
The new bind path will be used together with the password from the user to validate the login.
After binding the user, the user profile will be searched.
This is done by using PARSE_LDAP_LOGIN_BIND_DN.
If this will not work for you, you can search for the user within a DN with a given filter:
-
PARSE_LDAP_LOGIN_SEARCH_DN-
%user%will be replaced by the username the user is providing to the Cloud Code Function -
%userWithoutDomain%same as%user%, but will strip the domain part, i.e.:domain.com\usernamewill becomeusername -
%basepath%will be replaced by the value ofPARSE_LDAP_BASEPATH
-
-
PARSE_LDAP_LOGIN_SEARCH_FILTER-
%user%will be replaced by the username the user is providing to the Cloud Code Function -
%userWithoutDomain%same as%user%, but will strip the domain part, i.e.:domain.com\usernamewill becomeusername -
%basepath%will be replaced by the value ofPARSE_LDAP_BASEPATH
-
You can change which attributes from LDAP and which attributes in Parse will be used:
-
PARSE_LDAP_DN_ATTRIBUTE(default: "dn") the attribute of the LDAP user, which will be used for the Parse user attribute, which will be defined withPARSE_LDAP_PARSE_LDAP_DN_ATTRIBUTE -
PARSE_LDAP_USERNAME_ATTRIBUTE(default: "uid") the attribute of the LDAP user, which will be used for the Parse userusernameattribute -
PARSE_LDAP_EMAIL_ATTRIBUTE(default: "mail") the attribute of the LDAP user, which will be used for the Parse useremailattribute -
PARSE_LDAP_NAME_ATTRIBUTE(default: "cn") the attribute of the LDAP user, which will be used for the Parse usernameattribute -
PARSE_LDAP_PARSE_LDAP_ATTRIBUTE(default: "ldap") can be used to set the Parse user attribute, which will be used to identify users as LDAP users. -
PARSE_LDAP_PARSE_LDAP_DN_ATTRIBUTE(default: "ldap_dn") can be used to set the Parse user attribute, which will store the DN of the users.
Optionally you can set a LDAP group to restrict, which users will be allowed to sign into Parse:
-
PARSE_LDAP_SERVICE_GROUP_DNcan be used to pass a DN to a group. Only users whos DN is in amemberattribute of that group can login. Reading the group requires a service user.. -
PARSE_LDAP_SERVICE_USER_DNDN for the service user-
%basepath%will be replaced by the value ofPARSE_LDAP_BASEPATH
-
-
PARSE_LDAP_SERVICE_USER_PWPW for the service user -
PARSE_LDAP_SERVICE_INTERVALcan be used to pass a number in seconds, which will be used to start an interval in which all Parse users coming from LDAP will be validated as active LDAP users.
-
PARSE_LDAP_UNIFY_CREDENTIALSmust be"true", this will ensure that the same rules apply to theusernameandemailfields as in the@openinc/parse-server-opendashpackage.