From cb86d4cb7b85e6cbe024814caf868ea399a9db0b Mon Sep 17 00:00:00 2001 From: Julian Dax Date: Wed, 20 Nov 2019 13:18:14 +0100 Subject: [PATCH 1/4] Add documentation for the LDAP auth module --- _includes/parse-server/third-party-auth.md | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/_includes/parse-server/third-party-auth.md b/_includes/parse-server/third-party-auth.md index b3b3a0ab0..87f8a9030 100644 --- a/_includes/parse-server/third-party-auth.md +++ b/_includes/parse-server/third-party-auth.md @@ -19,6 +19,7 @@ Parse Server supports 3rd party authentication with * vKontakte * WeChat * Weibo +* LDAP Configuration options for these 3rd-party modules is done with the `auth` option passed to Parse Server: @@ -293,6 +294,58 @@ Learn more about [PhantAuth](https://www.phantauth.net/). } ``` +### Configuring parse-server for LDAP + +The [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) module can check if a +user can authenticate (bind) with the given credentials. Optionally, it can also check if the user is in a certain group. +This check is done using a user specified query, called an [LDAP Filter](https://ldap.com/ldap-filters/). +The query should return all groups which the user is a member of. The `cn` attribute of the query results is compared to `groupCn`. + +To build a query which works with your LDAP server, you can use a LDAP client like [Apache Directroy Studio](https://directory.apache.org/studio/). + + +```js +{ + "ldap": { + "url": "ldap://host:port", + "suffix": "the root of your LDAP tree", + "dn": "Bind dn. {{id}} is repalced with the id suppied in authData", + "groupCn": "Optional. A group which the user must be a member of.", + "groupFilter": "Optional. An LDAP filter for finding groups which the user is part of. {{id}} is replaced with the id supplied in authData." + } +} +``` + +If either `groupCN` or `groupFilter` is not specified, the group check is not performed. + +Example Configuration (this works with the public LDAP test server hosted by Forumsys): +```js +{ + "ldap": { + "url": "ldap://ldap.forumsys.com:389", + "suffix": "dc=example,dc=com", + "dn": "uid={{id}}, dc=example, dc=com", + "groupCn": "Chemists", + "groupFilter": "(&(uniqueMember=uid={{id}},dc=example,dc=com)(objectClass=groupOfUniqueNames))" + } +} +``` + +authData: + +```js +{ + "authData": { + "ldap": { + "id": "user id", + "password": "password" + } + } +} +``` + + + ## Custom authentication It is possible to leverage the OAuth support with any 3rd party authentication that you bring in. From b6e73443a6e74076c15841d4bc644208bf8f5d0c Mon Sep 17 00:00:00 2001 From: Julian Dax Date: Wed, 20 Nov 2019 14:08:36 +0100 Subject: [PATCH 2/4] fix typo in LDAP auth module Co-Authored-By: Tom Fox <13188249+TomWFox@users.noreply.github.com> --- _includes/parse-server/third-party-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/parse-server/third-party-auth.md b/_includes/parse-server/third-party-auth.md index 87f8a9030..f74ed6fc3 100644 --- a/_includes/parse-server/third-party-auth.md +++ b/_includes/parse-server/third-party-auth.md @@ -301,7 +301,7 @@ user can authenticate (bind) with the given credentials. Optionally, it can also This check is done using a user specified query, called an [LDAP Filter](https://ldap.com/ldap-filters/). The query should return all groups which the user is a member of. The `cn` attribute of the query results is compared to `groupCn`. -To build a query which works with your LDAP server, you can use a LDAP client like [Apache Directroy Studio](https://directory.apache.org/studio/). +To build a query which works with your LDAP server, you can use a LDAP client like [Apache Directory Studio](https://directory.apache.org/studio/). ```js From 27d87f63eefd71f6cb52928b0d268fdcb6ae3c5a Mon Sep 17 00:00:00 2001 From: Julian Dax Date: Thu, 21 Nov 2019 13:48:07 +0100 Subject: [PATCH 3/4] Remove line breaks and typo I hope this resolves all issues --- _includes/parse-server/third-party-auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_includes/parse-server/third-party-auth.md b/_includes/parse-server/third-party-auth.md index f74ed6fc3..2e42d947f 100644 --- a/_includes/parse-server/third-party-auth.md +++ b/_includes/parse-server/third-party-auth.md @@ -303,13 +303,12 @@ The query should return all groups which the user is a member of. The `cn` attri To build a query which works with your LDAP server, you can use a LDAP client like [Apache Directory Studio](https://directory.apache.org/studio/). - ```js { "ldap": { "url": "ldap://host:port", "suffix": "the root of your LDAP tree", - "dn": "Bind dn. {{id}} is repalced with the id suppied in authData", + "dn": "Bind dn. {{id}} is replaced with the id suppied in authData", "groupCn": "Optional. A group which the user must be a member of.", "groupFilter": "Optional. An LDAP filter for finding groups which the user is part of. {{id}} is replaced with the id supplied in authData." } @@ -319,6 +318,7 @@ To build a query which works with your LDAP server, you can use a LDAP client li If either `groupCN` or `groupFilter` is not specified, the group check is not performed. Example Configuration (this works with the public LDAP test server hosted by Forumsys): + ```js { "ldap": { From d4f1e734a8ad8bebb0d74d0b0f4e199eaccf1076 Mon Sep 17 00:00:00 2001 From: Julian Dax Date: Thu, 21 Nov 2019 22:55:46 +0100 Subject: [PATCH 4/4] Delete line breaks --- _includes/parse-server/third-party-auth.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/_includes/parse-server/third-party-auth.md b/_includes/parse-server/third-party-auth.md index 2e42d947f..8dfb3471f 100644 --- a/_includes/parse-server/third-party-auth.md +++ b/_includes/parse-server/third-party-auth.md @@ -344,8 +344,6 @@ authData: } ``` - - ## Custom authentication It is possible to leverage the OAuth support with any 3rd party authentication that you bring in.