
Product
Socket Brings Supply Chain Security to skills.sh
Socket is now scanning AI agent skills across multiple languages and ecosystems, detecting malicious behavior before developers install, starting with skills.sh's 60,000+ skills.
@veecode-platform/backstage-plugin-ldap-auth-backend
Advanced tools
Backstage LDAP Authentication plugin, this packages adds backend authentication and token generation/validation/management (fork from @immobiliarelabs original plugin)
LDAP Authentication backend for Backstage
This package provides LDAP authentication capabilities for your Backstage instance using the new backend system.
This is a maintained fork of the original @immobiliarelabs/backstage-plugin-ldap-auth-backend, updated and adapted for:
@backstage/plugin-auth-node v0.6+)Original plugin created by the amazing team at ImmobiliareLabs. We are grateful for their work and maintain this fork to ensure compatibility with the latest Backstage releases.
📚 Original Plugin Documentation
/refresh and /logout routes for token managementThis plugin works in conjunction with:
Install both backend and frontend plugins:
# Backend plugin
yarn workspace backend add @veecode-platform/backstage-plugin-ldap-auth-backend
# Frontend plugin
yarn workspace app add @veecode-platform/backstage-plugin-ldap-auth
# LDAP catalog sync (if not already installed)
yarn workspace backend add @backstage/plugin-catalog-backend-module-ldap
Add LDAP configuration to your app-config.yaml. The configuration format remains unchanged from the original plugin:
auth:
providers:
ldap:
# Environment-specific configuration (e.g., development, production)
development:
cookies:
secure: false # Set to true for HTTPS
field: 'backstage-token'
ldapAuthenticationOptions:
userSearchBase: 'ou=People,dc=example,dc=com' # REQUIRED
usernameAttribute: 'uid' # User unique identifier attribute
# Admin credentials for user validation
# If omitted, credential-less search will be attempted
adminDn: 'cn=admin,dc=example,dc=com'
adminPassword: '${LDAP_SECRET}'
ldapOpts:
url: '${LDAP_URL}' # e.g., 'ldap://localhost:389' or 'ldaps://ldap.example.com:636'
tlsOptions:
rejectUnauthorized: false # Set to true in production
Environment Variables:
export LDAP_URL="ldap://localhost:389"
export LDAP_SECRET="admin-password"
Note: This plugin uses
ldap-authenticationfor LDAP operations. TheldapOptsare passed toldapjs.
Register the LDAP auth module in your backend. The new backend system makes this simple:
packages/backend/src/index.ts
import { createBackend } from '@backstage/backend-defaults';
const backend = createBackend();
// ... other plugins
// Auth backend is required
backend.add(import('@backstage/plugin-auth-backend'));
// Add LDAP auth module
backend.add(import('@veecode-platform/backstage-plugin-ldap-auth-backend'));
// ... other plugins
backend.start();
That's it! The plugin automatically:
/api/auth/ldap/refresh endpoint (login & token refresh)/api/auth/ldap/logout endpoint (invalidate token)By default, tokens are stored in-memory. For production or multi-instance deployments, use PostgreSQL:
import { createBackend } from '@backstage/backend-defaults';
import { tokenValidatorFactory, JWTTokenValidator } from '@veecode-platform/backstage-plugin-ldap-auth-backend';
import Keyv from 'keyv';
const backend = createBackend();
// ... other plugins
backend.add(import('@backstage/plugin-auth-backend'));
backend.add(import('@veecode-platform/backstage-plugin-ldap-auth-backend'));
// Add PostgreSQL token storage
backend.add(
tokenValidatorFactory({
createTokenValidator: (config) => {
const dbUrl = config.getString('backend.database.connection.url');
return new JWTTokenValidator(
new Keyv(dbUrl, { table: 'ldap_tokens' })
);
},
})
);
backend.start();
You can customize the authentication flow and user validation logic using backend modules.
Override the default LDAP authentication logic:
import { coreServices, createBackendModule } from '@backstage/backend-plugin-api';
import { ldapAuthExtensionPoint } from '@veecode-platform/backstage-plugin-ldap-auth-backend';
export default createBackendModule({
pluginId: 'auth',
moduleId: 'ldap-custom',
register(reg) {
reg.registerInit({
deps: {
config: coreServices.rootConfig,
ldapAuth: ldapAuthExtensionPoint,
},
async init({ config, ldapAuth }) {
ldapAuth.set({
resolvers: {
async ldapAuthentication(
username,
password,
ldapOptions,
authFunction
) {
// Customize LDAP options or authentication logic
console.log(`Authenticating user: ${username}`);
// Call the default auth function with modified options
const user = await authFunction(ldapOptions);
// Return user identifier
return { uid: user.uid };
},
},
});
},
});
},
});
Then register it in backend/src/index.ts:
backend.add(import('./modules/ldap-custom'));
Customize how the plugin validates if a user exists in LDAP (used for JWT token validation):
export default createBackendModule({
pluginId: 'auth',
moduleId: 'ldap-custom',
register(reg) {
reg.registerInit({
deps: {
config: coreServices.rootConfig,
ldapAuth: ldapAuthExtensionPoint,
},
async init({ config, ldapAuth }) {
ldapAuth.set({
resolvers: {
async checkUserExists(
ldapAuthOptions,
searchFunction
) {
const { username } = ldapAuthOptions;
// Add custom validation logic
console.log(`Checking if user exists: ${username}`);
// Use the default search function or implement your own
const exists = await searchFunction(ldapAuthOptions);
return exists;
},
},
});
},
});
},
});
You can test the LDAP authentication endpoints directly:
curl -X POST http://localhost:7007/api/auth/ldap/refresh \
-H "Content-Type: application/json" \
-d '{
"username": "your-ldap-username",
"password": "your-ldap-password"
}' \
-c cookies.txt \
-v
curl -X POST http://localhost:7007/api/auth/ldap/refresh \
-H "Content-Type: application/json" \
-b cookies.txt \
-v
curl -X POST http://localhost:7007/api/auth/ldap/logout \
-b cookies.txt \
-v
If you're migrating from @immobiliarelabs/backstage-plugin-ldap-auth-backend:
Update package name in package.json:
- "@immobiliarelabs/backstage-plugin-ldap-auth-backend": "^4.3.1"
+ "@veecode-platform/backstage-plugin-ldap-auth-backend": "workspace:*"
Update imports in backend/src/index.ts:
- backend.add(import('@immobiliarelabs/backstage-plugin-ldap-auth-backend'));
+ backend.add(import('@veecode-platform/backstage-plugin-ldap-auth-backend'));
Configuration remains the same - no changes needed in app-config.yaml
New backend system - the plugin now uses the modern Backstage backend architecture
This is a community-maintained fork. For issues or questions:
Original plugin created with ❤️ by the ImmobiliareLabs team.
Maintained and updated by VeeCode Platform.
MIT License - see LICENSE for details.
Original work Copyright (c) ImmobiliareLabs
Modified work Copyright (c) VeeCode Platform
FAQs
Backstage LDAP Authentication plugin, this packages adds backend authentication and token generation/validation/management (fork from @immobiliarelabs original plugin)
We found that @veecode-platform/backstage-plugin-ldap-auth-backend demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Product
Socket is now scanning AI agent skills across multiple languages and ecosystems, detecting malicious behavior before developers install, starting with skills.sh's 60,000+ skills.

Product
Socket now supports PHP with full Composer and Packagist integration, enabling developers to search packages, generate SBOMs, and protect their PHP dependencies from supply chain threats.

Security News
An AI agent is merging PRs into major OSS projects and cold-emailing maintainers to drum up more work.