passport-adauth
Passport authentication strategy against Active Directory. This module is a Passport strategy wrapper for adauth.
Install
$ npm install passport-adauth
Status
License
MIT. See "LICENSE" file.
Usage
var ADStrategy = ; passport;
server
: LDAP settings. These are passed directly to adauth. See its documentation for all available options.url
: The LDAP URL for the domain controller e.g.ldaps://corp.example.com:636
bindDn
: A user with just enough permissions to read other users' attributes e.g.CN=LDAP User,OU=Users,OU=MyBusiness,DC=example,DC=com
bindCredentials
: Password for bindDnsearchBase
: The base suffix for all users to narrow results e.g.OU=Users,OU=MyBusiness,DC=example,DC=com
searchAttributes
: Optional array of attributes to limit what attributes are fetched from AD, e.g.['displayName', 'mail']
. Defaults toundefined
, i.e. fetch all attributestlsOptions
: Optional object with options accepted by the Node.js tls module.
usernameField
: Field name where the username is found, defaults to usernamepasswordField
: Field name where the password is found, defaults to passwordpassReqToCallback
: Whentrue
,req
is the first argument to the verify callback (default:false
):
passport;
Note: you can pass a function instead of an object as options
, see the
example below
Authenticate requests
Use passport.authenticate()
, specifying the 'adauth'
strategy, to
authenticate requests.
authenticate()
options
In addition to default authentication options the following options are available
for passport.authenticate()
:
badRequestMessage
flash message for missing username/password (default: 'Missing credentials')invalidCredentials
flash message forInvalidCredentialsError
,NoSuchObjectError
, and/no such user/i
LDAP errors (default: 'Invalid username/password')userNotFound
flash message when AD returns no error but also no user (default: 'Invalid username/password')constraintViolation
flash message when user account is locked (default: 'Exceeded password retry limit, account locked')
Express example
var express = passport = bodyParser = ADStrategy = ; var adOptions = server: url: 'ldap://corp.example.com' bindDn: 'CN=LDAP User,OU=Users,OU=MyBusiness,DC=example,DC=com' bindCredentials: 'mypassword' searchBase: 'OU=Users,OU=MyBusiness,DC=example,DC=com' ; var app = ; passport; app;app;app; app; app;
Active Directory over SSL example
Simple example config for connecting over ldaps://
to a server requiring some
internal CA certificate (often the case in corporations using Windows AD).
var opts = server: url: 'ldaps://corp.example.com:636' bindDn: 'CN=LDAP User,OU=Users,OU=MyBusiness,DC=example,DC=com' bindCredentials: 'mypassword' searchBase: 'OU=Users,OU=MyBusiness,DC=example,DC=com' tlsOptions: ca: './domain-ca.cer' ;...
Asynchronous configuration retrieval
Instead of providing a static configuration object, you can pass a function as
options
that will take care of fetching the configuration. It will be called'
with the req
object and a callback function having the standard (err, result)
signature. Notice that the provided function will be called on every
authenticate request.
var { // Fetching things from database or whatever process;}; var ADStrategy = ; passport;