在Node.js上使用passport-ldapauth进行LDAP身份验证

时间:2017-08-21 09:13:48

标签: node.js express ldap passport.js

我一直在与护照-ddapauth挣扎了几天,而且我没有更多的想法,我做错了什么。

简而言之,我有一个使用两种护照策略的项目:本地和LDAP。本地策略对我来说非常适合,但LDAP是有问题的。

我有一个AD的只读用户(我们称之为“ldap-read-only-admin”),我可以通过外部LDAP客户端与该用户连接并查看相关的OU。我还对SearchBase进行了三重检查,看起来是正确的。

但是,当将相同的配置传递给passport-ldapauth时,似乎它无法绑定用户凭据(我猜)。关于如何调试它的任何想法将非常感激。

这是app.js:

    var express = require("express");
    var app     = express();
    var path    = require("path");
    var session = require("express-session");
    var mongoose = require("mongoose");
    var passport = require("passport");
    var flash = require("connect-flash");
    var cookieParser = require("cookie-parser");
    var bodyParser = require("body-parser");
    var morgan = require("morgan");

    var configDB = require('./config/database.js');
    require('./config/passport.js')(passport); // pass passport for configuration


    app.use(express.static(__dirname + '/public'));  

    app.set('view engine', 'ejs');

    //connect to the Database
    var promise = mongoose.connect(configDB.url, {
      useMongoClient: true,
    });      

    app.use(morgan('dev')); // log every request to the console
    app.use(cookieParser()); // read cookies (needed for auth)
    //app.use(bodyParser()); // get information from html forms
    app.use(bodyParser.urlencoded({
      extended: true
    }));
    app.use(bodyParser.json({
      extended: true
    }));

    // configuring passport
    app.use(session({ secret: 'secret',  resave: true, saveUninitialized: true })); // session secret
    app.use(passport.initialize());
    app.use(passport.session()); // persistent login sessions
    app.use(flash()); // use connect-flash for flash messages stored in session


    require('./modules/routes.js')(app, passport); // load our routes and pass in our app and fully configured passport


    //make Web server listen on a specific port
    app.listen(3000);

    logger.info("Listening on port 3000");

这是routes.js(相关部分):

module.exports = function(app, passport) {
app.post('/', function(req, res, next) {

    passport.authenticate('ldap-login', {session: true}, function(err, user, info) {
    console.log("user: " + user);
    console.log("info: " + JSON.stringify(info));
      if (err) {
        return next(err); // will generate a 500 error
      }
      // Generate a JSON response reflecting authentication status
      if (! user) {
        return res.send({ success : false, message : 'authentication failed' });
      }
      return res.send({ success : true, message : 'authentication succeeded' });
    })(req, res, next);
  });


}

这是passport.js:

    var LocalStrategy   = require('passport-local').Strategy;
    var LdapStrategy    = require('passport-ldapauth').Strategy;

    // load the user model
    var User            = require('../modules/user.js');

    // expose this function to our app using module.exports
    module.exports = function(passport) {

        // =========================================================================
        // passport session setup ==================================================
        // =========================================================================
        // required for persistent login sessions
        // passport needs ability to serialize and unserialize users out of session

        // used to serialize the user for the session
        passport.serializeUser(function(user, done) {
            done(null, user.id);
        });

        // used to deserialize the user
        passport.deserializeUser(function(id, done) {
            User.findById(id, function(err, user) {
                done(err, user);
            });
        });


      // =========================================================================
        // LOCAL LOGIN =============================================================
        // =========================================================================

        passport.use('local-login', new LocalStrategy({

           passReqToCallback : true // allows us to pass back the entire request to the callback
        },
        function(req, username, password, done) { // callback with email and password from our form

            // find a user whose email is the same as the forms email
            // we are checking to see if the user trying to login already exists
            User.findOne({ username :  username }, function(err, user) {
                // if there are any errors, return the error before anything else
                if (err)
                    return done(err);

                // if no user is found, return the message
                if (!user)
                    return done(null, false, req.flash('loginMessage', 'The username "' + username + '" is not found.')); // req.flash is the way to set flashdata using connect-flash

                // if the user is found but the password is wrong
                if (!user.validPassword(password))
                   return done(null, false, req.flash('loginMessage', 'Oops! Wrong password.')); // create the loginMessage and save it to session as flashdata

                // all is well, return successful user
                return done(null, user);
            });

        }));



        // =========================================================================
        // LDAP Login ==============================================================
        // =========================================================================

        var opts = {
            server: {
                    url: 'ldap://<ldap server address>:389',
                    bindDn: 'cn=ldap-read-only-admin',
                    bindCredentials: 'password',
                    searchBase: 'OU=XX1, OU=XX2, DC=domain, DC=local',
                    searchFilter: '(uid={{username}})',    
                   // passReqToCallback : true
                  }
        };

      passport.use('ldap-login', new LdapStrategy(opts, function(req, user, done) {
            console.log("Passport LDAP authentication.");
          done(null, user);
        }

    ));   

    };

1 个答案:

答案 0 :(得分:4)

经过五个小时的尝试,我设法解决了我的问题。

首先,我的&#34; ldap-read-only-admin&#34;与其他用户在相同的OU下,因此我必须将整个路径放在bindDN字符串中的ldap-read-only-admin。其次,我需要使用sAMAccountName而不是uid。第三,我不得不从LdapStrategy函数中删除req。

以下是passport.js中的ldap登录方式:

componentDidMount

希望它会对某人有所帮助。