我无法使用ldap获取loopback-component-passport对活动目录进行身份验证。
我的provider.json文件如下所示(显然已删除了凭据)
{
"ldap": {
"provider": "ldap",
"authScheme":"ldap",
"module": "passport-ldapauth",
"authPath": "/auth/ldap",
"successRedirect": "/auth/account",
"failureRedirect": "/msad",
"json":true,
"failureFlash": false,
"session": false,
"setToken":true,
"LdapAttributeForLogin": "mail",
"LdapAttributeForUsername": "sAMAccountName",
"LdapAttributeForMail": "mail",
"server":{
"url": "ldaps://servername.domain:636",
"bindDn": "CN=Username,CN=Users,DC=ad,DC=Customer,DC=org",
"bindCredentials": "password for bind user",
"searchBase": "dc=ad,dc=Customer,dc=org",
"searchAttributes": ["cn", "mail", "givenname"],
"searchFilter": "(&(mail={{username}}))"
}
}
}
我的server.js代码类似于下面的代码。
'use strict';
var loopback = require('loopback');
var boot = require('loopback-boot');
//required for https config
var https = require('https');
var fs = require('fs');
var app = module.exports = loopback();
//custom addition to see if it works
var graphqlHTTP = require('express-graphql');
var graphqlvar = require('graphql');
var schema =require('./middleware/schema');
// configure view handler
var path = require('path');
app.set('view engine', 'ejs');
app.set('views', path.join(__dirname, 'views'));
app.use(loopback.token());
// Passport configurators..
var loopbackPassport = require('loopback-component-passport');
var PassportConfigurator = loopbackPassport.PassportConfigurator;
var passportConfigurator = new PassportConfigurator(app);
var config = {};
try {
config = require('./providers.json');
} catch(err) {
console.error('Please configure your passport strategy in `providers.json`.');
console.error('Copy `providers.json.template` to `providers.json` and replace the clientID/clientSecret values with your own.');
process.exit(1);
}
// Initialize passport
passportConfigurator.init(true);
app.use('/graphql', graphqlHTTP({
schema: schema,
graphiql: true
}));
//https config
var options = {
pfx: fs.readFileSync('path to pfx file'),
passphrase: 'passphrase'
};
var options_ldap = {
ca: fs.readFileSync('path to cert file')
};
app.start = function() {
// create ssl server
var server = null;
server = https.createServer(options, app);
// start the web server
/*return app.listen(function() {
app.emit('started');
var baseUrl = app.get('url').replace(/\/$/, '');
console.log('Web server listening at: %s', baseUrl);
if (app.get('loopback-component-explorer')) {
var explorerPath = app.get('loopback-component-explorer').mountPath;
console.log('Browse your REST API at %s%s', baseUrl, explorerPath);
}
});*/
server.listen(app.get('port'), function() {
var baseUrl = 'https://' + app.get('host') + ':' + app.get('port');
//var baseUrl = 'https://' + app.get('host');
//app.emit('started', baseUrl);
app.emit('started');
console.log('Web server listening at: %s', baseUrl);
console.log('LoopBack server listening @ %s%s', baseUrl, '/');
if (app.get('loopback-component-explorer')) {
var explorerPath = app.get('loopback-component-explorer').mountPath;
console.log('Browse your REST API at %s%s', baseUrl, explorerPath);
}
});
return server;
};
// Bootstrap the application, configure models, datasources and middleware.
// Sub-apps like REST API are mounted via boot scripts.
boot(app, __dirname, function(err) {
if (err) throw err;
// start the server if `$ node server.js`
if (require.main === module)
app.start();
});
// Set up related models
passportConfigurator.setupModels({
userModel: app.models.AppUser,
userIdentityModel: app.models.userIdentity,
userCredentialModel: app.models.userCredential
});
// Configure passport strategies for third party auth providers
for(var s in config) {
var c = config[s];
c.session = c.session !== false;
/*c.createAccessToken=function(user,cb){
user.accessTokens.create({
created: new Date(),
ttl: ttl
},cb);
}*/
//adjust ldap config to add tls options
if (c.authScheme=="ldap"){
if (c.server!=null){
//harcode now and make generic later
c.server.tlsOptions=options_ldap;
}
}
passportConfigurator.configureProvider(s, c);
}
当我尝试使用curl登录到https://server.domain/auth/ldap时,出现验证错误。有人可以建议我如何调试此错误。我使用的是正确的provider.json文件吗?另外,关于ldap映射的文档还不清楚-有人可以解释这些映射的含义吗?是否有一个适用于Loopback 3.x的优秀示例/示例应用程序,我可以使用参考来帮助我解决这个问题?
我能够确认ldapsearch在providers.json文件中包含的ldap服务器设置下可以正常工作。
答案 0 :(得分:0)
似乎您正在尝试使用电子邮件地址(mail属性)针对AD进行身份验证。广告不允许这样做。您可以使用userPrincipalName格式的username@domain.com。可能与电子邮件地址相同,但不一定。否则,您需要使用sAMAccountName,这就是通常所说的“用户名”。
这些是我指的行:
"LdapAttributeForLogin": "mail"
"searchFilter": "(&(mail={{username}}))"
在两种情况下都将mail替换为userPrincipalName或sAMAccountName。