Configuration for config.js (required)

• copy config.example and rename file to config.js. replace secret with a random generated secret. You can use for example https://randomkeygen.com/

Cofiguration for ad-config.js (required for Active Directory Authentication)

• copy ad-config.example and rename file to ad-config.js.
  
  

  const config = { path: '/login', url: 'ldap://de.XXXXX.ch:389', bindDN: 'CN=adreader,OU=XXXX,DC=de,DC=XXXXX,DC=ch', bindCredentials: 'xsdsdsds', searchBase: 'DC=de,DC=XXXXX,DC=ch', searchFilter: '(&(sAMAccountName={{username}})(memberOf=CN=XXXX-XXXX,OU=XXXX,DC=de,DC=XXXX,DC=ch))', errorMessages: { badRequestMessage: 'Missing credentials', invalidCredentials: 'Invalid username/password', userNotFound: 'Invalid username/password', constraintViolation: 'Exceeded password retry limit, account locked', invalidLogonHours: 'Not Permitted to login at this time', invalidWorkstation: 'Not permited to logon at this workstation', passwordExpired: 'Password expired', accountDisabled: 'Account disabled', accountExpired: 'Account expired', passwordMustChange: 'User must reset password', accountLockedOut: 'User account locked', noSuchObject: 'Bad search base' } }; module.exports = config;

Options for the Active Directory configuration file

• path : path for login authentication, '/login' will setup a new http route at 'auth/ad/login' for authentication
• url : LDAP server url
• bindDN : Admin connection DN, e.g. uid=myapp,ou=users,dc=example,dc=org. Optional. If not given at all, admin client is not bound. Giving empty string may result in anonymous bind when allowed.
• bindCredentials : Password for bindDN
• searchBase : The base DN from which to search for users by username. E.g. ou=users,dc=example,dc=org
• searchFilter : LDAP search filter with which to find a user by username, group, e.g. '(&(sAMAccountName={{username}})(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))'. Use the literal {{username}} to have the given username interpolated in for the LDAP search.

• errorMessages : Authentication possible error messages options

   [errorMessages.badRequestMessage] - 'Missing credentials' - Message for missing username/password
   [errorMessages.invalidCredentials] - 'Invalid username/password' - Message for InvalidCredentialsError, NoSuchObjectError, and /no such user/ LDAP errors
   [errorMessages.userNotFound] - 'Invalid username/password' - Message for user not found
   [errorMessages.constraintViolation] - 'Exceeded password retry limit, account locked' - Message when account is locked (or other constraint violation)
   [errorMessages.invalidLogonHours] - 'Not Permitted to login at this time'  - Message for Windows AD invalidLogonHours error
   [errorMessages.invalidWorkstation] - 'Not permited to logon at this workstation' - Message for Windows AD invalidWorkstation error
   [errorMessages.passwordExpired] - 'Password expired' - Message for Windows AD passwordExpired error
   [errorMessages.accountDisabled] - 'Account disabled' - Message for Windows AD accountDisabled error
   [errorMessages.accountExpired] - 'Account expired' - Message for Windows AD accountExpired error
   [errorMessages.passwordMustChange] - 'User must reset password' - Message for Windows AD passwordMustChange error
   [errorMessages.accountLockedOut] - 'User account locked' - Message for Windows AD accountLockedOut error
   [errorMessages.noSuchObject] - 'Bad search base' - Bad search base in LDAP query

Example that use the searchFilter to allow authentication base on sAMAccountName:

 searchFilter: '(&(sAMAccountName={{username}})(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))',

searchFilter: '(&(userPrincipalName={{username}})(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))',

searchFilter: '(&(|(userPrincipalName={{username}})(sAMAccountName={{username}}))(memberOf=CN=OSIV-Ivdat,OU=OSIV,DC=de,DC=ivnet,DC=ch))',