@mashroom/mashroom-security-provider-ldap

Mashroom LDAP Security Provider

Plugin for Mashroom Server, a Integration Platform for Microfrontends.

This plugin adds a LDAP security provider.

Usage

If node_modules/@mashroom is configured as plugin path just add @mashroom/mashroom-security-provider-ldap as dependency.

To activate this provider configure the Mashroom Security plugin like this:

{
    "plugins": {
        "Mashroom Security Services": {
            "provider": "Mashroom LDAP Security Provider"
        }
    }
}

And configure this plugin like this in the Mashroom config file:

{
    "plugins": {
        "Mashroom LDAP Security Provider": {
            "loginPage": "/login",
            "serverUrl": "ldap://my-ldap-server:636",
            "ldapConnectTimeout": 3000,
            "ldapTimeout": 5000,
            "bindDN": "uid=mashroom,dc=nonblocking,dc=at",
            "bindCredentials": "secret",
            "baseDN": "ou=users,dc=nonblocking,dc=at",
            "userSearchFilter": "(&(objectClass=person)(uid=@username@))",
            "groupSearchFilter": "(objectClass=group)",
            "groupToRoleMapping": "./groupToRoleMapping.json",
            "authenticationTimeoutSec": 1200
        }
    }
}

• loginPage: The login URL when user is not authenticated (must match the path of Mashroom Security Default Login Webapp)
• serverUrl: The LDAP server URL with protocol and port
• ldapConnectTimeout: Connect timeout in ms (default 3000)
• ldapTimeout: Timeout in ms (default 5000)
• tlsOptions: Optional TLS options if your LDAP server requires TLS. The options are passed to Node TLS, but the file paths (e.g. for "cert") are resolved relatively to mashroom.json.
• bindDN: The bind user for searching
• bindCredentials: The password for the bind user
• baseDN: The base DN for searches (can be empty)
• userSearchFilter: The user search filter, @username@ will be replaced by the actual username entered in the login form
• groupSearchFilter: The group search filter (can be empty if you don't want to fetch the user groups)
• groupToRoleMapping: An optional JSON file that contains a user group to roles mapping
• authenticationTimeoutSec: The inactivity time after that the authentication expires. Since this plugin uses the session to store make sure the session cookie.maxAge is greater than this value.

For a server that requires TLS you have to provide a tlsOptions object:

{
    "plugins": {
        "Mashroom LDAP Security Provider": {
            "serverUrl": "ldaps://my-ldap-server:636",
            "tlsOptions": {
              "cert": "./server-cert.pem",

              // Necessary only if the server requires client certificate authentication.
              //"key": "./client-key.pem",

              // Necessary only if the server uses a self-signed certificate.
              // "rejectUnauthorized": false,
              // "ca": [ "./server-cert.pem" ],
            }
        }
    }
}

The groupToRoleMapping file has to following simple structure:

{
    "LDAP_GROUP1": [
        "ROLE1",
        "ROLE2"
    ]
}

Changelog

1.5.2 (October 6, 2020)

• BREAKING CHANGE: All paths (config, sessions, ...) are now relative to the Mashroom config file (if they are not absolute)
• WebSockets: Clients can now reconnect to the previous session and receive missed messages if they use the clientId generated by the server
• LDAP Security Provider: Improved reliability and performance
• Portal: ReasonReact based demo app added
• Upgraded libraries with known vulnerabilities