使用NodeJS进行Active Directory身份验证

本文介绍了使用NodeJS进行Active Directory身份验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试构建一台NodeJS服务器，并计划使用该组织的Microsoft Active Directory进行身份验证。

I'm trying to build one NodeJS server and planning to use the organization's Microsoft Active Directory for authentication.

我在很多软件包（activedirectory，activedirectory2，ldapjs等）中都尝试了相同的方法

I tried the same with many packages (activedirectory, activedirectory2, ldapjs etc.)

似乎为我工作。

我提供了LDAP URL，下面是我的代码。

I'm supplying the LDAP URL and below is my code.

var ldapjs = require('ldapjs'); var config = { url: 'ldap://mycompany/dc=mycompany,dc=com' ,timeout: 10 ,reconnect: { "initialDelay": 100, "maxDelay": 500, "failAfter": 5 } } var username = "user_id@mycompany"; var password="password"; const ldapClient = ldapjs.createClient(config); ldapClient.bind(username, password, function (err) { console.log("Logging data..."); ldapClient.search('dc=mycompany,dc=com', function (err, search) { if (err) { console.log('ERROR: ' +JSON.stringify(err)); return; } search.on('searchEntry', function (err,entry) { if (err) { console.log('ERROR: ' +JSON.stringify(err)); return; } else{ var user = entry.object; console.log("Done."); return; } }); }); });

有时它可以工作，但是在大多数情况下，我一直在跟踪错误（可能是在选择不同的IP）

Sometimes it works, but for most of the times I keep on getting following error (may be when it chooses a different IP)

Error: connect ETIMEDOUT <ip address>:389 at Object.exports._errnoException (util.js:1018:11) at exports._exceptionWithHostPort (util.js:1041:20) at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1090:14)

让我感到困惑的是；如果我在C＃应用程序中尝试使用相同的LDAP URL，则可以正常工作。

What puzzles me is; if I try with the same LDAP URL in my C# application, it works fine.

.Net应用程序使用它的方式与NodeJS使用方式有什么区别吗？

Is there a difference in the way .Net app uses it than the way NodeJS uses?

我可以吗？

推荐答案

我通过首先获取发出请求的用户名来完成此工作 npm：express-ntlm 。然后使用这些信息，我使用 npm：activedirectory 来向Active Directory查询该用户的详细信息。 / p>

I got this working by first getting the username that made the request with npm:express-ntlm. Then with this information, I use npm:activedirectory to query Active Directory for that user's details.

app.use( ntlm({ domain: process.env.DOMAIN, domaincontroller: process.env.DOMAINCONTROLLER }) ); ... app.use("/", authenticate, require("./routes/index"));

在经过身份验证的中间件中，我现在可以访问包含

Inside my authenticate middleware I now have access to req.ntlm which contains

{ DomainName: '...', UserName: '...', Workstation: '...', Authenticated: true }

我设置了ActiveDirectory对象，并注意 bindDN和 bindCredentials，而不是 username和 password：

I setup the ActiveDirectory object, and note "bindDN" and "bindCredentials" instead of "username" and "password":

var ad = new ActiveDirectory({ url: process.env.DOMAINCONTROLLER, baseDN: process.env.BASEDN, bindDN: process.env.USERNAME, bindCredentials: process.env.PASSWORD });

然后，您可以像在npm：activedirectory文档中那样使用广告对象：

Then you can use the ad object like in the npm:activedirectory documentation:

ad.findUser(req.ntlm.UserName, (err, adUser) => { ... });

findUser返回诸如名字和姓氏，电子邮件地址之类的东西，这些是我所需要的，但您可以轻松地分组调查。

findUser returns things like first and last name, email address, which is all I needed but you could easily look into groups.