AD Auth with NODE


Actually fairly Easy



node-activedirectory


var ActiveDirectory = require('activedirectory');
var ad = new ActiveDirectory({ url: 'ldap://dc.domain.com',
    baseDN: 'dc=domain,dc=com',
    username: 'username@domain.com',
    password: 'password'
});

Methods

  • authenticate
  • findUser
  • isMemberOf
  • getGroupMembershipForUser
  • getUsersForGroup


Returns

  • POJOs
  • Arrays
  • Booleans

Example


ad.authenticate('user@njvc.local', 'Password1', function(err, isAuthenticated) {
    if(err) throw err;
    if(isAuthenticated) {
        console.log('Authenticated!');
    }
    else {
        console.log('Failed to authenticate');
    }
});

Integration with Express

via PassportJS

  • Express web server
    • Based on Connect
    • Most popular web server
  • PassportJS
    • THE standard for authentication

Express pipeline

  • .use to inject middleware
  • Order matters
  • Location matter
    • Global
    • Mount Point
    • Route

Example


var app = express();

app.use(logger());
app.use(bodyParser());
app.use(express.static(__dirname + '/public'));
app.use(function(req, res){
  res.send('Hello');
});

Inject Passport




var app = express();

app.use(bodyParser());
app.use(passport.initialize());
app.post('/login', passport.authenticate('local', { session: false }), function(req, res) {
    console.log(req.user);
    res.json({ msg: 'logged in!', user: req.user});
});

passport-local

  • Allows local management of users
    • array of users and passwords
    • Roll-you-own auth system

 passport.use(new LocalStrategy(
    function(username, password, done) {
        if(username === password) {
            return done(null, {
                username: 'rhirsch',
                first: 'Ryan',
                last: 'Hirsch'
            });
        }
        else {
            return done(null, false);
        }
    }
));

Combine them


passport.use(new LocalStrategy(
    function(username, password, done) {
        ad.authenticate(username, password, function(err, isAuthenticated) {
            if(err) return done(err, null);
            if(isAuthenticated) {
                return done(null, {
                    username: username
                });
            }
            else {
                return done(null, false);
            }
        });
    }
));

passport-windowsauth

  • Integrated NTLM Authentication
    • Handled by IIS
      • Node.js app running inside IIS
    • Handled by mode_auth_kerb
      • Node.js app behind Apache RP
  • Forms Authentication

Example


var passport = require('passport');
var WindowsStrategy = require('passport-windowsauth');

passport.use(new WindowsStrategy({ 
  ldap: {
    url:             'ldap://wellscordoba.wellscordobabank.com/DC=wellscordobabank,DC=com',
    base:            'DC=wellscordobabank,DC=com',
    bindDN:          'someAccount',
    bindCredentials: 'andItsPass'
  },
  integrated:      false
}, function(profile, done){
  LocalUserDb.findOrCreate({ waId: profile.id }, function (err, user) {
    done(err, user);
  });
}));

passport-azure-ad



  • Created and maintained by Microsoft
  • Purpose built for Azure Active Directory
  • Used locally with AD Federation Services
  • Least popular of the 3

Example

var config = {
    realm: 'http://localhost:3000/',
    identityProviderUrl: 'https://login.windows.net/ad0ffc54-96b9-4757-bbb0-fcc293e2f4aa/wsfed',
    identityMetadata: 'https://login.windows.net/ad0ffc54-96b9-4757-bbb0-fcc293e2f4aa/federationmetadata/2007-06/federationmetadata.xml'
    logoutUrl:'http://localhost:3000/'
};

passport.use(new wsfedsaml2(config, function(profile, done) {
    if (!profile.email) {
        done(new Error("No email found"));
        return;
    }
    // validate the user here
    done(null, profile);
}));
Made with Slides.com