LDAP -仅按名称查找用户

时间:2021-10-03 03:00:31

I am not too familiar with LDAP, however I am working on authentication in a Node.js app, and the user credentials for the web app is going to be gotten from the organization's Windows domain.

我不太熟悉LDAP,但是我正在处理节点中的身份验证。js应用,web应用的用户凭证将从组织的Windows域中获取。

I have LDAP lookups working (using the Passport.js Node module), however to make it work, I have to put the user's full-fledged DN into Node. For example, let's say:

我让LDAP查找工作(使用Passport)。js节点模块),但是为了使它工作,我必须把用户的成熟的DN放到节点中。例如,让我们说:

  1. My FQDN is mydomain.private.net.

    我的域名是mydomain.private.net。

  2. My users are stored in an organizational unit, let's say staff.

    我的用户被存储在一个组织单元中,比如说staff。

Now, if I want to lookup user joe, I have to put this string into Node:

现在,如果我想查找用户joe,我必须将这个字符串放入Node:

var username = 'CN=joe,OU=staff,DC=mydomain,DC=private,DC=net';

do i really have to keep track of all that?

What if my users are in two different organizational units? The client-side browser doesn't know that! It just knows:

如果我的用户在两个不同的组织单元中呢?客户端浏览器不知道这一点!只知道:

username = 'joe';
password = 'xxxxx';

What if you try to log on as administrator? Administrators are always in a totally different OU by default.

如果您试图以管理员身份登录呢?默认情况下,管理员总是处于完全不同的OU中。

Is there a way to reference an LDAP object by just the name and nothing else?

是否有一种方法只通过名称引用LDAP对象,而不使用其他名称?

2 个解决方案

#1


2  

This is a general LDAP problem. You need to get a unique identifier from the user, and then look for it.

这是一个通用的LDAP问题。您需要从用户获取唯一标识符,然后查找它。

Typically this is what the uid attribute is used for. Active Directory may or may not have that populated, and generally relies on sAMAccountName which must be unique within the domain.

通常这就是uid属性的用途。活动目录可能有也可能没有填充,通常依赖于sAMAccountName,它必须是域内唯一的。

So you need a two step process.

所以你需要两个步骤。

1) Query for uid=joe or samAccountName=joe 2) Use the results to test a bind or password compare.

1)查询uid=joe或samAccountName=joe 2)使用结果测试绑定或密码比较。

You would then use the DC=mydomain,DC=private,DC=net value as the root to search from.

然后使用DC=mydomain,DC=private,DC=net value作为搜索的根。

#2


1  

(answer to my own question)

geoffc's answer was correct, and this is the working solution adapted to my Node.js app using the activedirectory npm module:

geoff的回答是正确的,这是适用于我的节点的工作解决方案。使用activedirectory npm模块的js app:

  // First search for the user itself in the domain.
  // If successfully found, the findUser function
  // will return the full DN string, which is
  // subsequently used to properly query and authenticate
  // the user.
  var AD = self.ADs[domain];
  AD.findUser(username, function(err, user) {
    if (err) {
      cb(false, 'AD error on findUser', err);
      return;
    }
    if (!user) {
      cb(false, 'User does not exist', void 0);
    } else {
      username = user.dn;
      AD.authenticate(username, password, function(err, authenticated) {
        if (authenticated == false) {
          cb(false, err, void 0);
          return;
        } else {
          cb(true, 'Authenticated', void 0);
        }
      });  
    }
  });

#1


2  

This is a general LDAP problem. You need to get a unique identifier from the user, and then look for it.

这是一个通用的LDAP问题。您需要从用户获取唯一标识符,然后查找它。

Typically this is what the uid attribute is used for. Active Directory may or may not have that populated, and generally relies on sAMAccountName which must be unique within the domain.

通常这就是uid属性的用途。活动目录可能有也可能没有填充,通常依赖于sAMAccountName,它必须是域内唯一的。

So you need a two step process.

所以你需要两个步骤。

1) Query for uid=joe or samAccountName=joe 2) Use the results to test a bind or password compare.

1)查询uid=joe或samAccountName=joe 2)使用结果测试绑定或密码比较。

You would then use the DC=mydomain,DC=private,DC=net value as the root to search from.

然后使用DC=mydomain,DC=private,DC=net value作为搜索的根。

#2


1  

(answer to my own question)

geoffc's answer was correct, and this is the working solution adapted to my Node.js app using the activedirectory npm module:

geoff的回答是正确的,这是适用于我的节点的工作解决方案。使用activedirectory npm模块的js app:

  // First search for the user itself in the domain.
  // If successfully found, the findUser function
  // will return the full DN string, which is
  // subsequently used to properly query and authenticate
  // the user.
  var AD = self.ADs[domain];
  AD.findUser(username, function(err, user) {
    if (err) {
      cb(false, 'AD error on findUser', err);
      return;
    }
    if (!user) {
      cb(false, 'User does not exist', void 0);
    } else {
      username = user.dn;
      AD.authenticate(username, password, function(err, authenticated) {
        if (authenticated == false) {
          cb(false, err, void 0);
          return;
        } else {
          cb(true, 'Authenticated', void 0);
        }
      });  
    }
  });