Configuration for config.js (required)
- copy config.example and rename file to config.js. replace secret with a random generated secret. You can use for example https://randomkeygen.com/
Cofiguration for ad-config.js (required for Active Directory Authentication)
copy ad-config.example and rename file to ad-config.js.
const config = { path: '/login', url: 'ldap://de.XXXXX.ch:389', bindDN: 'CN=adreader,OU=XXXX,DC=de,DC=XXXXX,DC=ch', bindCredentials: 'xsdsdsds', searchBase: 'DC=de,DC=XXXXX,DC=ch', searchFilter: '(&(sAMAccountName={{username}})(memberOf=CN=XXXX-XXXX,OU=XXXX,DC=de,DC=XXXX,DC=ch))', errorMessages: { badRequestMessage: 'Missing credentials', invalidCredentials: 'Invalid username/password', userNotFound: 'Invalid username/password', constraintViolation: 'Exceeded password retry limit, account locked', invalidLogonHours: 'Not Permitted to login at this time', invalidWorkstation: 'Not permited to logon at this workstation', passwordExpired: 'Password expired', accountDisabled: 'Account disabled', accountExpired: 'Account expired', passwordMustChange: 'User must reset password', accountLockedOut: 'User account locked', noSuchObject: 'Bad search base' } }; module.exports = config;
Options for the Active Directory configuration file
- path : path for login authentication, '/login' will setup a new http route at 'auth/ad/login' for authentication
- url : LDAP server url
- bindDN : Admin connection DN, e.g. uid=myapp,ou=users,dc=example,dc=org. Optional. If not given at all, admin client is not bound. Giving empty string may result in anonymous bind when allowed.
- bindCredentials : Password for bindDN
- searchBase : The base DN from which to search for users by username. E.g. ou=users,dc=example,dc=org
- searchFilter : LDAP search filter with which to find a user by username, group, e.g. '(&(sAMAccountName={{username}})(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))'. Use the literal {{username}} to have the given username interpolated in for the LDAP search.
errorMessages : Authentication possible error messages options
[errorMessages.badRequestMessage] - 'Missing credentials' - Message for missing username/password [errorMessages.invalidCredentials] - 'Invalid username/password' - Message for InvalidCredentialsError, NoSuchObjectError, and /no such user/ LDAP errors [errorMessages.userNotFound] - 'Invalid username/password' - Message for user not found [errorMessages.constraintViolation] - 'Exceeded password retry limit, account locked' - Message when account is locked (or other constraint violation) [errorMessages.invalidLogonHours] - 'Not Permitted to login at this time' - Message for Windows AD invalidLogonHours error [errorMessages.invalidWorkstation] - 'Not permited to logon at this workstation' - Message for Windows AD invalidWorkstation error [errorMessages.passwordExpired] - 'Password expired' - Message for Windows AD passwordExpired error [errorMessages.accountDisabled] - 'Account disabled' - Message for Windows AD accountDisabled error [errorMessages.accountExpired] - 'Account expired' - Message for Windows AD accountExpired error [errorMessages.passwordMustChange] - 'User must reset password' - Message for Windows AD passwordMustChange error [errorMessages.accountLockedOut] - 'User account locked' - Message for Windows AD accountLockedOut error [errorMessages.noSuchObject] - 'Bad search base' - Bad search base in LDAP query
Example that use the searchFilter to allow authentication base on sAMAccountName:
searchFilter: '(&(sAMAccountName={{username}})(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))',
Example that uses the searchFilter to allow authentication based on userPricipalName:
searchFilter: '(&(userPrincipalName={{username}})(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))',
Example that uses the searchFilter to allow authentication based on userPricipalName or sAMAccountName:
searchFilter: '(&(|(userPrincipalName={{username}})(sAMAccountName={{username}}))(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))',
More LDAP Query Examples for AD here