Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
passport-ldapauth
Advanced tools
Passport authentication strategy against LDAP server. This module is a Passport strategy wrapper for ldapauth-fork
npm install passport-ldapauth
var LdapStrategy = require('passport-ldapauth');
passport.use(new LdapStrategy({
server: {
url: 'ldap://localhost:389',
...
}
}));
server
: LDAP settings. These are passed directly to ldapauth-fork. See its documentation for all available options.
url
: e.g. ldap://localhost:389
bindDn
: e.g. cn='root'
bindCredentials
: Password for bindDnsearchBase
: e.g. o=users,o=example.com
searchFilter
: LDAP search filter, e.g. (uid={{username}})
. Use literal {{username}}
to have the given username used in the search.searchAttributes
: Optional array of attributes to fetch from LDAP server, e.g. ['displayName', 'mail']
. Defaults to undefined
, i.e. fetch all attributestlsOptions
: Optional object with options accepted by Node.js tls module.usernameField
: Field name where the username is found, defaults to username
passwordField
: Field name where the password is found, defaults to password
passReqToCallback
: When true
, req
is the first argument to the verify callback (default: false
):
passport.use(new LdapStrategy(..., function(req, user, done) {
...
done(null, user);
}
));
Note: you can pass a function instead of an object as options
, see the example below
Use passport.authenticate()
, specifying the 'ldapauth'
strategy, to authenticate requests.
authenticate()
optionsIn addition to default authentication options the following options are available for passport.authenticate()
:
badRequestMessage
flash message for missing username/password (default: 'Missing credentials')invalidCredentials
flash message for InvalidCredentialsError
, NoSuchObjectError
, and /no such user/i
LDAP errors (default: 'Invalid username/password')userNotFound
flash message when LDAP returns no error but also no user (default: 'Invalid username/password')constraintViolation
flash message when user account is locked (default: 'Exceeded password retry limit, account locked')var express = require('express'),
passport = require('passport'),
bodyParser = require('body-parser'),
LdapStrategy = require('passport-ldapauth');
var OPTS = {
server: {
url: 'ldap://localhost:389',
bindDn: 'cn=root',
bindCredentials: 'secret',
searchBase: 'ou=passport-ldapauth',
searchFilter: '(uid={{username}})'
}
};
var app = express();
passport.use(new LdapStrategy(OPTS));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: false}));
app.use(passport.initialize());
app.post('/login', passport.authenticate('ldapauth', {session: false}), function(req, res) {
res.send({status: 'ok'});
});
app.listen(8080);
Simple example config for connecting over ldaps://
to a server requiring some internal CA certificate (often the case in corporations using Windows AD).
var fs = require('fs');
var opts = {
server: {
url: 'ldaps://ad.corporate.com:636',
bindDn: 'cn=non-person,ou=system,dc=corp,dc=corporate,dc=com',
bindCredentials: 'secret',
searchBase: 'dc=corp,dc=corporate,dc=com',
searchFilter: '(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))',
searchAttributes: ['displayName', 'mail'],
tlsOptions: {
ca: [
fs.readFileSync('/path/to/root_ca_cert.crt')
]
}
}
};
...
Instead of providing a static configuration object, you can pass a function as options
that will take care of fetching the configuration. It will be called with a callback function having the standard (err, result)
signature. Notice that the provided function will be called on every authenticate request.
var getLDAPConfiguration = function(callback) {
// Fetching things from database or whatever
process.nextTick(function() {
var opts = {
server: {
url: 'ldap://localhost:389',
bindDn: 'cn=root',
bindCredentials: 'secret',
searchBase: 'ou=passport-ldapauth',
searchFilter: '(uid={{username}})'
}
};
callback(null, opts);
});
};
var LdapStrategy = require('passport-ldapauth');
passport.use(new LdapStrategy(getLDAPConfiguration,
function(user, done) {
...
return done(null, user);
}
));
MIT
FAQs
LDAP authentication strategy for Passport
The npm package passport-ldapauth receives a total of 29,252 weekly downloads. As such, passport-ldapauth popularity was classified as popular.
We found that passport-ldapauth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.