I’ve published my Active Directory authentication (AuthN) and authorization (AuthZ) module for node.js. This module supports large active directory installation where over 1000 entries may be returned from a query via range specifiers. In addition, the module will recursively enumerate and expand all nested users and groups.
You can view or checkout the code online on my github account:
Installation is easy with npm:
npm install activedirectory
Usage is pretty simple:
var ad = new ActiveDirectory('ldap://yourdomain.com', 'dc=yourdomain,dc=com', 'authuser@domain.com', 'authpassword');
var username = 'bob@domain.com';
ad.findUser(username, function(err, user) {
if (err) {
console.log('ERROR: ' +JSON.stringify(err));
return;
}
if (! user) console.log('User: ' + username + ' not found.');
else console.log(JSON.stringify(user));
});
Hope you find it useful!
Hi George
Re your code above, will this work if we are authenticating one user at a time. Eg. let say our app (separate and unrelated to CompanyX) is connected into CompanyX and each CompanyX employee needs to login/signup, will your code then validate that suzie@CompanyX.com is in the CompanyX Active directory and if so allow them to register/login and if not prevent them from registering/logging in?
Thanks in advance
Sean
That specific example, no.
For just authentication, you would want the authentication function. https://github.com/gheeres/node-activedirectory#authenticate The documentation provides an example.
Hi George,
The docs indicated that in the config, ‘authuser@domain.com’ and ‘authpassword’ are used for user lookups, group lookups, etd. Are these parameters required to simply authenticate? I am trying to use it without these and it does not work. I am not an AD/LDAP guy, so maybe this is a dumb question, but are these a master/admin credential?
The username specified in the config is ONLY used if you need to perform user lookups, group searches, etc. If you are only using the authenticate() method, then your configuration only needs the following:
var config = {
baseDN: ‘dc=domain,dc=com’,
url: ‘ldap://dc.domain.com’
};
var ad = new ActiveDirectory(config);
ad.authenticate(username, password, function(err, authenticated) {
…
});
If you attempt to do any group or user information lookup, then you will need to have a username and password specified in the configuration. This username and password is used strictly for user and group information lookup. Typically this would be a readonly type of account that has few, if any restrictions on what it can read.
When doing authentication, make sure that you are using a userPrincipalName (username@domain.com). Using just a sAMAccountName (username) will NOT work. If you’re still having problems, check the hostname and port for your server. Talk with your network administrator to find out that information.
With activedirectory ldapjs api, how can i get the manager name of a user? Also can we get the complete hierarchy of the managers? Please let me know,
Regards.
Nara
You can query the “manager” attribute which will return the distinguishedName (DN) of the person. To get their name or other information, you would need to issue a second query based on the retrieved DN. That person in turn could have a manager assigned… recursively repeat until all managers have been exhausted walking “up” the tree. Optionally, you can also find all of the people that have a specified DN specified as a manager.
Note: When doing queries based on DNs, be careful of special characters (,=) which require escaping and special handling.
>Re: Complete Hierarcy
In theory, yes you should be able to build the hierarchy of managers, however there is nothing built-in to do that.
When a (AD) windows user logs into their computer, they can open their email (say outlook) without having to authenticate again in the email client, somehow the email client already knows what the credentials are. The same happens in windows explorer, it automatically shows network resources that that user has access to.
I want to build an app that does this ‘auto’ authentication such that I don’t need to ask the user for their login/password when they open my app, yet the app can make AD requests on the user’s behalf is this possible?
If you’re not using native windows libraries & authentication, you’ll need to use Kerberos for auto sign on. To the best of my knowledge, the underlying ldapjs library, which this library depends upon, does not support kerberos.
Hi George. First of all thank you so much for such a great piece of code. I have one question. Is there any option to test if connection with AD is available with your module? I setting timeout in opts but it does not seem to work. Any idea please? 😉
Essentially for timeout and connection related operations, you’re relying upon the ldapjs implementation. I’d recommend checking the ldapjs source and issues. If I recall, on a timeout, the ldapjs library should throw an exception which you’ll then have to catch and handle.
But where should i put it??? I tryed setting timeout in opts object and also in settings for new AD object and it does not seem to work. =/ When i look into your module code i can see that opts should do it but i am not sure.
If the timeout isn’t working, then the problem is likely due to the underlying ldapjs library. The timeout option is just passed through to the underlying ldapjs implementation.
I’d recommend creating a quick simple utility that directly uses the ldapjs library and see if you can get the timeout code working there. If you can’t, then it’s an ldapjs issue. If you can, then we can work backwards and figure out why the timeout isn’t be honored. If necessary, please continue this discussion on the github project page by opening an issue: https://github.com/gheeres/node-activedirectory/issues
Hello and thank you for the library. Question, is there a way to get the Authenticated users information without using the find() method? Example, After hitting ad.authenticate and getting authenticated to the AD. I want to get that logged in users information (Name, Email, etc). Any help is greatly appreciated thank you!
See the following Github issue which provides sample code to retrieve their information from their context.
https://github.com/gheeres/node-activedirectory/issues/77
If necessary, please continue this discussion on the github project page by opening an issue: https://github.com/gheeres/node-activedirectory/issues
Hi George, I am new to the world of AD. I have a simple Express.js Web app and the requirement is to authenticate the users with AD.
To do a quick PoC, i am running a AD LDS instance on my Windows 7 laptop and created 2 users.
Can i use the same code used for authenticating against AD for AD LDS? Or is there any difference?
Is it doable in the first place do you think? Request your help as i am stuck and not sure which way to go.
Thanks
Pramod