AD Auth with NODE
Actually fairly Easy
- NodeJS community
- Tiny modules
- How Substack writes modules
- Just search NPM
- At least six feasible items
- One provided by MS
node-activedirectory
var ActiveDirectory = require('activedirectory');
var ad = new ActiveDirectory({ url: 'ldap://dc.domain.com',
baseDN: 'dc=domain,dc=com',
username: 'username@domain.com',
password: 'password'
});
Methods
- authenticate
- findUser
- isMemberOf
- getGroupMembershipForUser
- getUsersForGroup
Returns
- POJOs
- Arrays
- Booleans
Example
ad.authenticate('user@njvc.local', 'Password1', function(err, isAuthenticated) {
if(err) throw err;
if(isAuthenticated) {
console.log('Authenticated!');
}
else {
console.log('Failed to authenticate');
}
});
Integration with Express
via PassportJS
- Express web server
- Based on Connect
- Most popular web server
- PassportJS
- THE standard for authentication
Express pipeline
- .use to inject middleware
- Order matters
- Location matter
- Global
- Mount Point
- Route
Example
var app = express();
app.use(logger());
app.use(bodyParser());
app.use(express.static(__dirname + '/public'));
app.use(function(req, res){
res.send('Hello');
});
Inject Passport
var app = express();
app.use(bodyParser());
app.use(passport.initialize());
app.post('/login', passport.authenticate('local', { session: false }), function(req, res) {
console.log(req.user);
res.json({ msg: 'logged in!', user: req.user});
});
passport-local
- Allows local management of users
- array of users and passwords
- Roll-you-own auth system
passport.use(new LocalStrategy(
function(username, password, done) {
if(username === password) {
return done(null, {
username: 'rhirsch',
first: 'Ryan',
last: 'Hirsch'
});
}
else {
return done(null, false);
}
}
));
Combine them
passport.use(new LocalStrategy(
function(username, password, done) {
ad.authenticate(username, password, function(err, isAuthenticated) {
if(err) return done(err, null);
if(isAuthenticated) {
return done(null, {
username: username
});
}
else {
return done(null, false);
}
});
}
));
passport-windowsauth
- Integrated NTLM Authentication
- Handled by IIS
- Node.js app running inside IIS
- Handled by mode_auth_kerb
- Node.js app behind Apache RP
- Forms Authentication
Example
var passport = require('passport');
var WindowsStrategy = require('passport-windowsauth');
passport.use(new WindowsStrategy({
ldap: {
url: 'ldap://wellscordoba.wellscordobabank.com/DC=wellscordobabank,DC=com',
base: 'DC=wellscordobabank,DC=com',
bindDN: 'someAccount',
bindCredentials: 'andItsPass'
},
integrated: false
}, function(profile, done){
LocalUserDb.findOrCreate({ waId: profile.id }, function (err, user) {
done(err, user);
});
}));passport-azure-ad
- Created and maintained by Microsoft
- Purpose built for Azure Active Directory
- Used locally with AD Federation Services
- Least popular of the 3
Example
var config = {
realm: 'http://localhost:3000/',
identityProviderUrl: 'https://login.windows.net/ad0ffc54-96b9-4757-bbb0-fcc293e2f4aa/wsfed',
identityMetadata: 'https://login.windows.net/ad0ffc54-96b9-4757-bbb0-fcc293e2f4aa/federationmetadata/2007-06/federationmetadata.xml'
logoutUrl:'http://localhost:3000/'
};
passport.use(new wsfedsaml2(config, function(profile, done) {
if (!profile.email) {
done(new Error("No email found"));
return;
}
// validate the user here
done(null, profile);
}));Active Directory Auth w/Node
By Ryan Hirsch
Active Directory Auth w/Node
Active Directory Integration with Node.js
- 8,267
