护照的Active Directory的node.js [英] Passport Active Directory node.js

问题描述

我已经成功地组装了半打护照策略（Facebook，Twitter的，LinkedIn，Instagram的，tumblr，谷歌，YouTube）的与oauth1和oauth2令牌，到一个单一的独立的身份验证服务器Exchange帐户信息，节省了会议蒙戈并创建活动配置文件，使用令牌/会话/ code / ID字段和使用Tedious.js在SQL服务器上许多标准化的属性附加伤害领域。这些护照工具是优秀的，谢谢。

I have successfully assembled over a half dozen passport strategies (facebook, twitter, linkedin, instagram, tumblr, google, youtube) exchange account info with oauth1 and oauth2 token, into a single standalone auth server that saves session in Mongo and creates active profiles, with token/session/code/id fields and with many standardized atribute fields in SQL server using Tedious.js. These passport tools are excellent, thank you.

这个项目我最后的挑战是不会为好，用户名和密码的Active Directory存储库，来查找和AUTH以同样的方式。我一直在尝试了一遍又一遍的护照，LDAP，护照ldapauth（基于ldapauth-gfork，基于ldapjs），护照windowsauth和护照Kerberos和似乎得到相关的凭据错误（深code ，增加console.logs，试图找出我收到语法错误）。

My last challenge for this project is not going as well, username and password into an active directory repository, to look up and auth in the same way. I have been trying over and over again passport-ldap, passport-ldapauth (based on ldapauth-gfork, based on ldapjs), passport-windowsauth and passport-kerberos, and seem to be getting related credential errors (deep in code, adding console.logs to try and figure out what I am getting syntactically wrong).

是否还有其他资源和文档使用护照的任何策略访问LDAP / AD在Node.js的？该DN与欧语法和那里的帐户访问用户（有专门设置了访问AD服务帐户）存储库与该帐户的用户，你正在寻找和过滤器使其很难找到什么错误找出相关我要去的地方错了。你匹配sAMAccountName赋或UID？我一直一直收到未经授权的错误。

Are there any other resources and documentation to accessing LDAP/AD in Node.js using any strategy of Passport? The DN versus ou syntax and where the account access user (have a service account specifically set up to access the AD) for the repository versus the account user you are looking up and the filters make it very difficult to find anything error related to figure out where I am going wrong. Do you match to sAMAccountName or uid? I keep consistently getting "unauthorized" errors.

不像其他70护照的策略，其中，文档和例子是明确的，只是工作，而不是这么多的AD / LDAP护照。任何人都可以点我一个很好的测试，文档或设置与Passport.js和Active Directory行之有效的具体一点吗？

Unlike the other 70 passport strategies, where the doc and examples are clear and just work, not so much for ad/ldap passport. Can anyone point me to a good test, doc or setup that works well specifically with Passport.js and Active Directory?

推荐答案

尽管这是一个老问题，我想，作为护照ldapauth 的维护者，我要澄清LDAP验证了一点。

While this is an old question I thought, as the maintainer of passport-ldapauth, I should clarify LDAP authentication a little.

LDAP身份验证是那些你以前用过的策略不同。这些OAuth的策略真的可以配置只有一个办法 - 提供所需的选项，然后它的作品。这部分是相同的与LDAP，但实际值与选项不同从一个服务器到另一个。你问，就像你匹配sAMAccountName赋或UID的问题，是真的取决于你和LDAP服务器。

LDAP authentication is different from those strategies you've used before. Those OAuth strategies can really be configured only one way - provide the required options, and then it works. This part is the same with LDAP, but the actual values to the options differ from one server to the other. The questions you are asking, like do you match to sAMAccountName or uid, are really up to you and the LDAP server.

好像是什么一个DN样子，什么是搜索基准，或者什么是搜索过滤器已经在广泛的RFC定义的语法一般的东西。如果一个不熟悉的基本知识，可能难以得到认证工作。通常情况下，AD / LDAP服务器的维护者输入需要有正确的设置，如：哪些搜索基础可找到所有需要的用户，但不会导致LDAP服务器上的不必要的负载。

General things like what does a DN look like, what is search base, or what is the syntax of search filter have been defined extensively in RFCs. If one is not familiar with the basics it can be difficult to get the authentication to work. Often the AD/LDAP server maintainer input is needed to have proper settings, eg. what search base allows finding all required users but does not cause unnecessary load on the LDAP server.

LDAP验证通常工作分三个步骤：

LDAP authentication usually works in three steps:

1. 在护照ldapauth使用服务帐户（， bindDn 和 bindCredentials ），结合对LDAP服务器。
2. 一旦结合​​，进行配置的搜索与替换用户提供的用户名的占位符。这就决定是否从LDAP服务器中指定的用户名。
3. 使用的搜索结果DN ，以及用户提供的密码和绑定对LDAP服务器。这验证密码。

1. Using a service account (in passport-ldapauth, bindDn and bindCredentials), bind against the LDAP server.
2. Once bound, perform the configured search substituting the placeholder with user provided username. This determines if the given username is found from the LDAP server.
3. Use the DN of the search result, together with user provided password, and bind against the LDAP server. This verifies the password.

如果您希望用户登录使用的 SAM帐户名，你的搜索过滤器可以是如拥有。 （sAMAccountName赋= {{用户名}}）。如果您希望用户使用 UID ，过滤器可能只是（UID = {{用户名}}）。如果要同时启用，使用（|（sAMAccountName赋= {{用户名}}）（UID = {{用户名}}））。搜索过滤器语法指定在RFC 4515。

If you wish to have users login using their SAMAccountName, your search filter could be eg. (sAMAccountName={{username}}). If you wish that the users use uid, the filter could be just (uid={{username}}). If you want to enable both, use (|(sAMAccountName={{username}})(uid={{username}})). The search filter syntax is specified in RFC 4515.

这篇关于护照的Active Directory的node.js的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！