@mashroom/mashroom-security-provider-ldap

Mashroom LDAP Security Provider

Plugin for Mashroom Server, a Microfrontend Integration Platform.

This plugin adds a LDAP security provider.

Usage

If node_modules/@mashroom is configured as plugin path just add @mashroom/mashroom-security-provider-ldap as dependency.

To activate this provider, configure the Mashroom Security plugin like this:

{
    "plugins": {
        "Mashroom Security Services": {
            "provider": "Mashroom LDAP Security Provider"
        }
    }
}

And configure this plugin like this in the Mashroom config file:

{
    "plugins": {
        "Mashroom LDAP Security Provider": {
            "loginPage": "/login",
            "serverUrl": "ldap://my-ldap-server:636",
            "ldapConnectTimeout": 3000,
            "ldapTimeout": 5000,
            "bindDN": "uid=mashroom,dc=nonblocking,dc=at",
            "bindCredentials": "secret",
            "baseDN": "ou=users,dc=nonblocking,dc=at",
            "userSearchFilter": "(&(objectClass=person)(uid=@username@))",
            "groupSearchFilter": "(objectClass=group)",
            "extraDataMapping": {
                "mobile": "mobile",
                "address": "postalAddress"
            },
            "secretsMapping": {
                "internalUserId": "uid"
            },
            "groupToRoleMapping": "./groupToRoleMapping.json",
            "userToRoleMapping": "./userToRoleMapping.json",
            "authenticationTimeoutSec": 1200
        }
    }
}

• loginPage: The login URL to redirect to if the user is not authenticated (Default: /login)
• serverUrl: The LDAP server URL with protocol and port
• ldapConnectTimeout: Connect timeout in ms (Default: 3000)
• ldapTimeout: Timeout in ms (Default: 5000)
• tlsOptions: Optional TLS options if your LDAP server requires TLS. The options are passed to Node TLS but the file paths (e.g. for "cert") are resolved relatively to the server config.
• bindDN: The bind user for searching
• bindCredentials: The password for the bind user
• baseDN: The base DN for searches (can be empty)
• userSearchFilter: The user search filter, @username@ will be replaced by the actual username entered in the login form
• groupSearchFilter: The group search filter (can be empty if you don't want to fetch the user groups)
• extraDataMapping: Optionally map extra LDAP attributes to user.extraData. The key in the map is the extraData property, the value the LDAP attribute (Default: null)
• secretsMapping: Optionally map extra LDAP attributes to user.secrets (Default: null)
• groupToRoleMapping: An optional JSON file that contains a user group to roles mapping (Default: /groupToRoleMapping.json)
• userToRoleMapping: An optional JSON file that contains a user name to roles mapping (Default: /userToRoleMapping.json)
• authenticationTimeoutSec: The inactivity time after that the authentication expires. Since this plugin uses the session to store make sure the session cookie.maxAge is greater than this value (Default: 1200)

For a server that requires TLS you have to provide a tlsOptions object:

{
    "plugins": {
        "Mashroom LDAP Security Provider": {
            "serverUrl": "ldaps://my-ldap-server:636",
            "tlsOptions": {
              "cert": "./server-cert.pem",

              // Necessary only if the server requires client certificate authentication.
              //"key": "./client-key.pem",

              // Necessary only if the server uses a self-signed certificate.
              // "rejectUnauthorized": false,
              // "ca": [ "./server-cert.pem" ],
            }
        }
    }
}

The groupToRoleMapping file has to following simple structure:

{
    "$schema": "https://www.mashroom-server.com/schemas/mashroom-security-ldap-provider-group-to-role-mapping.json",
    "LDAP_GROUP1": [
        "ROLE1",
        "ROLE2"
    ]
}

And the userToRoleMapping file:

{
    "$schema": "https://www.mashroom-server.com/schemas/mashroom-security-ldap-provider-user-to-role-mapping.json",
    "username": [
        "ROLE1",
        "ROLE2"
    ]
}