Skip to content

feat: add generic LDAP authentication strategy using ldapts #1496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
1saac-k wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: add generic LDAP authentication strategy using ldapts #1496

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a8b2bdd
build: add ldapts and passport-custom dependencies
1saac-k Apr 1, 2026
4ec8707
feat: add ldap authentication type to config schema
1saac-k Apr 1, 2026
2f496e3
chore: add default ldap config to proxy.config.json
1saac-k Apr 7, 2026
ade173d
feat: implement LDAP passport strategy using ldapts
1saac-k Apr 1, 2026
cb6633f
feat: register ldap strategy in passport and auth routes
1saac-k Apr 1, 2026
735e842
test: add unit tests for LDAP authentication strategy
1saac-k Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions config.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -505,6 +505,90 @@
},
"required": ["type", "enabled", "oidcConfig"]
},
{
"title": "LDAP Auth Config",
"description": "Configuration for generic LDAP authentication using ldapts.",
"properties": {
"type": { "type": "string", "const": "ldap" },
"enabled": { "type": "boolean" },
"ldapConfig": {
"type": "object",
"description": "LDAP connection and search configuration.",
"properties": {
"url": {
"type": "string",
"description": "LDAP server URL, e.g. `ldap://ldap.example.com` or `ldaps://ldap.example.com`."
},
"bindDN": {
"type": "string",
"description": "DN of the service account used to search for users, e.g. `cn=admin,dc=example,dc=com`."
},
"bindPassword": {
"type": "string",
"description": "Password for the service account."
},
"searchBase": {
"type": "string",
"description": "Base DN for user searches, e.g. `ou=people,dc=example,dc=com`."
},
"searchFilter": {
"type": "string",
"description": "LDAP search filter template. Use `{{username}}` as a placeholder for the login username. e.g. `(uid={{username}})`."
},
"userGroupDN": {
"type": "string",
"description": "DN of the group a user must belong to in order to log in."
},
"adminGroupDN": {
"type": "string",
"description": "DN of the admin group. Members of this group are granted admin privileges."
},
"groupSearchBase": {
"type": "string",
"description": "Base DN for group membership searches. If omitted, each group's own DN (`userGroupDN` or `adminGroupDN`) is used as the search base."
},
"groupSearchFilter": {
"type": "string",
"description": "LDAP filter for group membership checks. Use `{{dn}}` as a placeholder for the user's DN. Defaults to `(member={{dn}})`."
},
"usernameAttribute": {
"type": "string",
"description": "LDAP attribute to use as the username. Defaults to `uid`."
},
"emailAttribute": {
"type": "string",
"description": "LDAP attribute for the user's email. Defaults to `mail`."
},
"displayNameAttribute": {
"type": "string",
"description": "LDAP attribute for the user's display name. Defaults to `cn`."
},
"titleAttribute": {
"type": "string",
"description": "LDAP attribute for the user's title. Defaults to `title`."
},
"starttls": {
"type": "boolean",
"description": "Use STARTTLS to upgrade an ldap:// connection to TLS. Defaults to false."
},
"tlsOptions": {
"type": "object",
"description": "Node.js TLS options passed to the ldapts client (e.g. `rejectUnauthorized`, `ca`)."
}
},
"required": [
"url",
"bindDN",
"bindPassword",
"searchBase",
"searchFilter",
"userGroupDN",
"adminGroupDN"
]
}
},
"required": ["type", "enabled", "ldapConfig"]
},
{
"title": "JWT Auth Config",
"description": "Configuration for JWT authentication.",
Expand Down
32 changes: 32 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@
"history": "5.3.0",
"isomorphic-git": "^1.36.3",
"jsonwebtoken": "^9.0.3",
"ldapts": "^8.1.7",
"load-plugin": "^6.0.3",
"lodash": "^4.17.23",
"lusca": "^1.7.0",
Expand All @@ -124,6 +125,7 @@
"parse-diff": "^0.11.1",
"passport": "^0.7.0",
"passport-activedirectory": "^1.4.0",
"passport-custom": "^1.1.1",
"passport-local": "^1.0.0",
"perfect-scrollbar": "^1.5.6",
"react": "^16.14.0",
Expand Down
21 changes: 21 additions & 0 deletions proxy.config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,27 @@
"password": ""
}
},
{
"type": "ldap",
"enabled": false,
"ldapConfig": {
"url": "",
"bindDN": "",
"bindPassword": "",
"searchBase": "",
"searchFilter": "",
"userGroupDN": "",
"adminGroupDN": "",
"groupSearchBase": "",
"groupSearchFilter": "(member={{dn}})",
"usernameAttribute": "uid",
"emailAttribute": "mail",
"displayNameAttribute": "cn",
"titleAttribute": "title",
"starttls": false,
"tlsOptions": {}
}
},
{
"type": "openidconnect",
"enabled": false,
Expand Down
50 changes: 49 additions & 1 deletion src/config/generated/config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,10 @@ export interface AuthenticationElement {
* Additional JWT configuration.
*/
jwtConfig?: JwtConfig;
/**
* LDAP connection and search configuration.
*/
ldapConfig?: LdapConfig;
[property: string]: any;
}

Expand Down Expand Up @@ -253,9 +257,32 @@ export interface OidcConfig {
[property: string]: any;
}

/**
* LDAP connection and search configuration.
*/
export interface LdapConfig {
url: string;
bindDN: string;
bindPassword: string;
searchBase: string;
searchFilter: string;
userGroupDN: string;
adminGroupDN: string;
groupSearchBase?: string;
groupSearchFilter?: string;
usernameAttribute?: string;
emailAttribute?: string;
displayNameAttribute?: string;
titleAttribute?: string;
starttls?: boolean;
tlsOptions?: { [key: string]: any };
[property: string]: any;
}

export enum AuthenticationElementType {
ActiveDirectory = 'ActiveDirectory',
Jwt = 'jwt',
Ldap = 'ldap',
Local = 'local',
Openidconnect = 'openidconnect',
}
Expand Down Expand Up @@ -811,6 +838,7 @@ const typeMap: any = {
{ json: 'userGroup', js: 'userGroup', typ: u(undefined, '') },
{ json: 'oidcConfig', js: 'oidcConfig', typ: u(undefined, r('OidcConfig')) },
{ json: 'jwtConfig', js: 'jwtConfig', typ: u(undefined, r('JwtConfig')) },
{ json: 'ldapConfig', js: 'ldapConfig', typ: u(undefined, r('LdapConfig')) },
],
'any',
),
Expand Down Expand Up @@ -844,6 +872,26 @@ const typeMap: any = {
],
'any',
),
LdapConfig: o(
[
{ json: 'url', js: 'url', typ: '' },
{ json: 'bindDN', js: 'bindDN', typ: '' },
{ json: 'bindPassword', js: 'bindPassword', typ: '' },
{ json: 'searchBase', js: 'searchBase', typ: '' },
{ json: 'searchFilter', js: 'searchFilter', typ: '' },
{ json: 'userGroupDN', js: 'userGroupDN', typ: '' },
{ json: 'adminGroupDN', js: 'adminGroupDN', typ: '' },
{ json: 'groupSearchBase', js: 'groupSearchBase', typ: u(undefined, '') },
{ json: 'groupSearchFilter', js: 'groupSearchFilter', typ: u(undefined, '') },
{ json: 'usernameAttribute', js: 'usernameAttribute', typ: u(undefined, '') },
{ json: 'emailAttribute', js: 'emailAttribute', typ: u(undefined, '') },
{ json: 'displayNameAttribute', js: 'displayNameAttribute', typ: u(undefined, '') },
{ json: 'titleAttribute', js: 'titleAttribute', typ: u(undefined, '') },
{ json: 'starttls', js: 'starttls', typ: u(undefined, true) },
{ json: 'tlsOptions', js: 'tlsOptions', typ: u(undefined, m('any')) },
],
'any',
),
AttestationConfig: o(
[{ json: 'questions', js: 'questions', typ: u(undefined, a(r('Question'))) }],
false,
Expand Down Expand Up @@ -981,6 +1029,6 @@ const typeMap: any = {
],
'any',
),
AuthenticationElementType: ['ActiveDirectory', 'jwt', 'local', 'openidconnect'],
AuthenticationElementType: ['ActiveDirectory', 'jwt', 'ldap', 'local', 'openidconnect'],
DatabaseType: ['fs', 'mongo'],
};
2 changes: 2 additions & 0 deletions src/service/passport/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import passport, { type PassportStatic } from 'passport';
import * as local from './local';
import * as activeDirectory from './activeDirectory';
import * as ldap from './ldap';
import * as oidc from './oidc';
import * as config from '../../config';
import { AuthenticationElement } from '../../config/generated/config';
Expand All @@ -30,6 +31,7 @@ type StrategyModule = {
export const authStrategies: Record<string, StrategyModule> = {
local,
activedirectory: activeDirectory,
ldap,
openidconnect: oidc,
};

Expand Down
Loading
Loading