Active Directory strategy for passport.js
npm install passport-activedirectoryActive Directory strategy for passport.js
---
This Strategy is a "fork" of passport-windowsauth that uses the activedirectory module instead of directly calling ldapjs.
The module works almost identically except that the verify function is passed the ActiveDirectory object as a parameter so that you can use the query functions included in activedirectory during verification. This is useful when using nested AD groups where you want to identify if a user is a member of a root level group.
#### Setup
``js
var passport = require('passport')
var ActiveDirectoryStrategy = require('passport-activedirectory')
passport.use(new ActiveDirectoryStrategy({
integrated: false,
ldap: {
url: 'ldap://my.domain.com',
baseDN: 'DC=my,DC=domain,DC=com',
username: 'readuser@my.domain.com',
password: 'readuserspassword'
}
}, function (profile, ad, done) {
ad.isUserMemberOf(profile._json.dn, 'AccessGroup', function (err, isMember) {
if (err) return done(err)
return done(null, profile)
})
}))
`
#### Protecting a path
`js
var opts = { failWithError: true }
app.post('/login', passport.authenticate('ActiveDirectory', opts), function(req, res) {
res.json(req.user)
}, function (err) {
res.status(401).send('Not Authenticated')
})
// example request
// > curl -H "Content-Type: application/json" -X POST -d '{"username":"xyz","password":"xyz"}' http://localhost/login
`
#### Optionally reuse an existing instance of activedirectory
`js
var passport = require('passport')
var ActiveDirectoryStrategy = require('passport-activedirectory')
var ActiveDirectory = require('activedirectory')
var ad = new ActiveDirectory({
url: 'ldap://my.domain.com',
baseDN: 'DC=my,DC=domain,DC=com',
username: 'readuser@my.domain.com',
password: 'readuserspassword'
})
passport.use(new ActiveDirectoryStrategy({
integrated: false,
ldap: ad
}, function (profile, ad, done) {
ad.isUserMemberOf(profile._json.dn, 'AccessGroup', function (err, isMember) {
if (err) return done(err)
return done(null, profile)
})
}))
`
#### ActiveDirectoryStrategy ( options, verify )
* options { Object } - Options for connecting and verificationintegrated=true
* [] { Boolean } - Use windows integrated login. For username and password authentication set this to false
* [] { Boolean } - Pass the request to the callbackusernameField="username"
* [] { String } - request body field to use for the usernamepasswordField="password"
* [] { String } - request body field to use for the passwordmapProfile
* [] { Function } - Custom profile mapping function. Takes user object as only parameter and returns a profile object. _json is added to the object with the full objectldap
* [] { Object | ActiveDirectory } - LDAP connection object. Extended properties are documented here. You may also supply an instance of activedirectory instead.url
* { String } - LDAP URL (e.g. ldap://my.domain.com)baseDN
* { String } - Base LDAP DN to search for users inusername
* { String } - User name of account with access to search the directorypassword
* { String } - Password for usernamefilter
* [] { Function } - Takes username as its only parameter and returns an ldap query for that userattributes
* [] { Array } - Array of attributes to include in the profile under the profile._json key. The dn property is always added because it is used to authenticate the userverify
* { Function } - Verification function. Depending on the options supplied the signature will be one of the followingverify ( profile, ad, done )
* Signatures
* - Using ldapverify( req, profile, ad, done )
* - Using ldap and with the passReqToCallback option set to true
* - Not using ldapverify ( req, profile, done )
* - Not using ldap and with the passReqToCallback option set to true
* Params
* { Object } - User profile objectreq
* { Object } - request objectad
* { Object } - ActiveDirectory instancedone
* { Function } - Passport callback
* For information on setting up integrated authentication with IIS and Apache, review the documentation at passport-windowsauth
* For more information on ActiveDirectory methods review activedirectory`