ldapjs 身份验证（用户登录设置）

Question

So I'm currently running node.js, which has ldapjs installed. My aim is to have a system that uses ldapjs to allow users to login with a username and password.

I have been reading over the http://ldapjs.org documentation for awhile now but am struggling to understand the whole idea of ldap and ldapjs's implementation of it.

I currently have this from the documentation

var ldap = require('ldapjs');

var server = ldap.createServer();

server.bind('cn=root', function(req, res, next) {
  if (req.dn.toString() !== 'cn=root' || req.credentials !== 'secret')
    return next(new ldap.InvalidCredentialsError());

  res.end();
  return next();
});

server.listen(1389, function() {
  console.log('LDAP server up at: %s', server.url);
});

Which allows me to run the below and successfully bind to the server.

ldapsearch -H ldap://localhost:1389 -x -D cn=root -w secret -LLL -b "o=myhost" objectclass=*

But I'm really unsure of where to go from here or even if this is the correct approach...

The ideal setup would be to have a range of users and passwords, and on a successful ldap connection confirm the details are correct and respond with a true, or false if the username/pass was incorrect.

Does anyone know of any good resources for finding out more about this, or better yet can suggest some basic client/server side code to give me an idea of where to go next!

Any replies would be really appreciated.

Many Thanks

Answer 1

I never used ldapjs, but based on what I just quickly read in its seemingly incomplete document, it can be used to implement an LDAP server or an LDAP client, which seems to be what you're trying to do (ie, I'm assuming you want to authenticate users in your application against an existing LDAP server). Most of the examples in its document focus on creating an LDAP server that listens on a certain port and interacts with a back-end database. If you're not trying to put an LDAP-based interface between your back-end database or store of users and passwords, then you probably don't need the server API. If you already have an LDAP server running, then you will need to use its client API to do something like this:

1.Bind anonymously to the LDAP server that provides the directory services including the authentication services. It looks like you can just do this with:

var ldap = require('ldapjs');
var client = ldap.createClient({
    url: 'ldap://my.ldap.server'
});

2.Search by the username (eg, e-mail address) for the corresponding entry's DN

var opts = {
  filter: '(mail=USERNAME)',
  scope: 'sub'
};

client.search('ou=users,o=acme.com', opts, function(err, res) {
  assert.ifError(err);

  res.on('searchEntry', function(entry) {
    console.log('entry: ' + JSON.stringify(entry.object));
  });
  res.on('searchReference', function(referral) {
    console.log('referral: ' + referral.uris.join());
  });
  res.on('error', function(err) {
    console.error('error: ' + err.message);
  });
  res.on('end', function(result) {
    console.log('status: ' + result.status);
  });
});

3.Grab the DN of the returned entry ( entry.object ). The documentation of this library doesn't talk much about how these objects can be used (eg, what their methods, properties, etc. are). So, you will have to figure out how to actually get the DN or string representation of the DN of the entry you just retrieved from the directory server. [ See the comment(s) below this answer ]

4.Rebind to the server using that DN:

client.bind(DN_RETRIEVED, PASSWORD_USER_ENTERED, function(err) {
  assert.ifError(err);
});

5.The result of the bind above is what you will need to use to determine whether or not the authentication was successful.

If you are trying to implement an LDAP server in front of your user/password data store for LDAP-based authentication, then you will need to follow their server examples. I personally think this is an overkill and could be problematic in terms of security.