Mashroom LDAP Security Provider
Plugin for Mashroom Server, a Microfrontend Integration Platform.
This plugin adds an LDAP security provider.
Usage
If node_modules/@mashroom is configured as plugin path just add @mashroom/mashroom-security-provider-ldap as dependency.
To activate this provider, configure the Mashroom Security plugin like this:
{
"plugins": {
"Mashroom Security Services": {
"provider": "Mashroom LDAP Security Provider"
}
}
}
And configure this plugin like this in the Mashroom config file:
{
"plugins": {
"Mashroom LDAP Security Provider": {
"loginPage": "/login",
"serverUrl": "ldap://my-ldap-server:636",
"ldapConnectTimeout": 3000,
"ldapTimeout": 5000,
"bindDN": "uid=mashroom,dc=nonblocking,dc=at",
"bindCredentials": "secret",
"baseDN": "ou=users,dc=nonblocking,dc=at",
"userSearchFilter": "(&(objectClass=person)(uid=@username@))",
"groupSearchFilter": "(objectClass=group)",
"extraDataMapping": {
"mobile": "mobile",
"address": "postalAddress"
},
"secretsMapping": {
"internalUserId": "uid"
},
"groupToRoleMapping": "./groupToRoleMapping.json",
"userToRoleMapping": "./userToRoleMapping.json",
"authenticationTimeoutSec": 1200
}
}
}
- loginPage: The login URL to redirect to if the user is not authenticated (Default: /login)
- serverUrl: The LDAP server URL with protocol and port
- ldapConnectTimeout: Connect timeout in ms (Default: 3000)
- ldapTimeout: Timeout in ms (Default: 5000)
- tlsOptions: Optional TLS options if your LDAP server requires TLS. The options are passed to Node TLS
but the file paths (e.g. for "cert") are resolved relatively to the server config.
- bindDN: The bind user for searching
- bindCredentials: The password for the bind user
- baseDN: The base DN for searches (can be empty)
- userSearchFilter: The user search filter, @username@ will be replaced by the actual username entered in the login form
- groupSearchFilter: The group search filter (can be empty if you don't want to fetch the user groups)
- extraDataMapping: Optionally map extra LDAP attributes to user.extraData. The key in the map is the extraData property, the value the LDAP attribute (Default: null)
- secretsMapping: Optionally map extra LDAP attributes to user.secrets (Default: null)
- groupToRoleMapping: An optional JSON file that contains a user group to roles mapping (Default: /groupToRoleMapping.json)
- userToRoleMapping: An optional JSON file that contains a user name to roles mapping (Default: /userToRoleMapping.json)
- authenticationTimeoutSec: The inactivity time after that the authentication expires. Since this plugin uses the session to store make sure the session cookie.maxAge is greater than this value (Default: 1200)
For a server that requires TLS you have to provide a tlsOptions object:
{
"plugins": {
"Mashroom LDAP Security Provider": {
"serverUrl": "ldaps://my-ldap-server:636",
"tlsOptions": {
"cert": "./server-cert.pem",
}
}
}
}
The groupToRoleMapping file has to following simple structure:
{
"$schema": "https://www.mashroom-server.com/schemas/mashroom-security-ldap-provider-group-to-role-mapping.json",
"LDAP_GROUP1": [
"ROLE1",
"ROLE2"
]
}
And the userToRoleMapping file:
{
"$schema": "https://www.mashroom-server.com/schemas/mashroom-security-ldap-provider-user-to-role-mapping.json",
"username": [
"ROLE1",
"ROLE2"
]
}