ldapjs 身份验证(用户登录设置)
所以我目前正在运行 node.js,它安装了 ldapjs. 我的目标是拥有一个使用 ldapjs 的系统,允许用户使用用户名和密码登录.
So I'm currently running node.js, which has ldapjs installed. My aim is to have a system that uses ldapjs to allow users to login with a username and password.
我已经阅读 http://ldapjs.org 文档有一段时间了,但我很难理解整个文档ldap 的想法和 ldapjs 的实现.
I have been reading over the http://ldapjs.org documentation for awhile now but am struggling to understand the whole idea of ldap and ldapjs's implementation of it.
我目前从文档中得到这个
I currently have this from the documentation
var ldap = require('ldapjs');
var server = ldap.createServer();
server.bind('cn=root', function(req, res, next) {
if (req.dn.toString() !== 'cn=root' || req.credentials !== 'secret')
return next(new ldap.InvalidCredentialsError());
res.end();
return next();
});
server.listen(1389, function() {
console.log('LDAP server up at: %s', server.url);
});
这使我可以运行以下内容并成功绑定到服务器.
Which allows me to run the below and successfully bind to the server.
ldapsearch -H ldap://localhost:1389 -x -D cn=root -w secret -LLL -b "o=myhost" objectclass=*
但我真的不确定从这里去哪里,或者即使这是正确的方法......
But I'm really unsure of where to go from here or even if this is the correct approach...
理想的设置是拥有一系列用户和密码,并在成功的 ldap 连接上确认详细信息正确并以 true 响应,如果用户名/密码不正确则返回 false.
The ideal setup would be to have a range of users and passwords, and on a successful ldap connection confirm the details are correct and respond with a true, or false if the username/pass was incorrect.
有没有人知道有什么好的资源可以找到更多关于这方面的信息,或者更好的是可以建议一些基本的客户端/服务器端代码,让我知道下一步该去哪里!
Does anyone know of any good resources for finding out more about this, or better yet can suggest some basic client/server side code to give me an idea of where to go next!
任何回复将不胜感激.
非常感谢
推荐答案
我没用过ldapjs,但是根据我刚刚在其看似不完整的文档中快速阅读的内容,它可以用来实现LDAP服务器或LDAP客户端,这似乎是您正在尝试做的事情(即,我假设您想根据现有的 LDAP 服务器对应用程序中的用户进行身份验证).其文档中的大多数示例都集中在创建一个侦听某个端口并与后端数据库交互的 LDAP 服务器.如果您不想在后端数据库或用户和密码存储之间放置基于 LDAP 的接口,那么您可能不需要服务器 API.如果您已经运行了一个 LDAP 服务器,那么您将需要使用它的客户端 API 来执行以下操作:
I never used ldapjs, but based on what I just quickly read in its seemingly incomplete document, it can be used to implement an LDAP server or an LDAP client, which seems to be what you're trying to do (i.e., I'm assuming you want to authenticate users in your application against an existing LDAP server). Most of the examples in its document focus on creating an LDAP server that listens on a certain port and interacts with a back-end database. If you're not trying to put an LDAP-based interface between your back-end database or store of users and passwords, then you probably don't need the server API. If you already have an LDAP server running, then you will need to use its client API to do something like this:
1.匿名绑定到提供目录服务(包括身份验证服务)的 LDAP 服务器.看起来你可以这样做:
1.Bind anonymously to the LDAP server that provides the directory services including the authentication services. It looks like you can just do this with:
var ldap = require('ldapjs');
var client = ldap.createClient({
url: 'ldap://my.ldap.server'
});
2.通过用户名(例如,电子邮件地址)搜索相应条目的 DN
2.Search by the username (e.g., e-mail address) for the corresponding entry's DN
var opts = {
filter: '(mail=USERNAME)',
scope: 'sub'
};
client.search('ou=users,o=acme.com', opts, function(err, res) {
assert.ifError(err);
res.on('searchEntry', function(entry) {
console.log('entry: ' + JSON.stringify(entry.object));
});
res.on('searchReference', function(referral) {
console.log('referral: ' + referral.uris.join());
});
res.on('error', function(err) {
console.error('error: ' + err.message);
});
res.on('end', function(result) {
console.log('status: ' + result.status);
});
});
3.获取返回条目的 DN (entry.object).这个库的文档并没有过多地讨论如何使用这些对象(例如,它们的方法、属性等是什么).因此,您必须弄清楚如何实际获取您刚刚从目录服务器检索到的条目的 DN 或字符串表示形式.[请参阅此答案下方的评论]
3.Grab the DN of the returned entry ( entry.object ). The documentation of this library doesn't talk much about how these objects can be used (e.g., what their methods, properties, etc. are). So, you will have to figure out how to actually get the DN or string representation of the DN of the entry you just retrieved from the directory server. [See the comment(s) below this answer]
4.使用该DN重新绑定到服务器:
4.Rebind to the server using that DN:
client.bind(DN_RETRIEVED, PASSWORD_USER_ENTERED, function(err) {
assert.ifError(err);
});
5.上面绑定的结果是你需要用来判断认证是否成功的.
5.The result of the bind above is what you will need to use to determine whether or not the authentication was successful.
如果您尝试在您的用户/密码数据存储之前实现一个 LDAP 服务器以进行基于 LDAP 的身份验证,那么您将需要遵循他们的服务器示例.我个人认为这是一种矫枉过正的做法,并且在安全性方面可能存在问题.
If you are trying to implement an LDAP server in front of your user/password data store for LDAP-based authentication, then you will need to follow their server examples. I personally think this is an overkill and could be problematic in terms of security.
相关文章