🔒 feature(auth): LDAP Authentication (#2859)

* 🔧 chore: npm install passport-ldapauth * ✨ feat(auth): add ldap authentication support * chore: merge conflict fix --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2026-01-30 06:15:18 +01:00 · 2024-05-29 14:46:20 -07:00 · 2024-05-29 14:46:20 -07:00 · a618266905
commit a618266905
parent d5a7806e32
14 changed files with 303 additions and 3 deletions
--- a/api/models/schema/userSchema.js
+++ b/api/models/schema/userSchema.js
@ -64,6 +64,11 @@ const userSchema = mongoose.Schema(
      unique: true,
      sparse: true,
    },
+    ldapId: {
+      type: String,
+      unique: true,
+      sparse: true,
+    },
    githubId: {
      type: String,
      unique: true,
--- a/api/package.json
+++ b/api/package.json
@ -86,6 +86,7 @@
    "passport-github2": "^0.1.12",
    "passport-google-oauth20": "^2.0.0",
    "passport-jwt": "^4.0.1",
+    "passport-ldapauth": "^3.0.1",
    "passport-local": "^1.0.0",
    "pino": "^8.12.1",
    "sharp": "^0.32.6",
--- a/api/server/index.js
+++ b/api/server/index.js
@ -15,7 +15,7 @@ const AppService = require('./services/AppService');
 const noIndex = require('./middleware/noIndex');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
-
+const { ldapLogin } = require('~/strategies');
 const routes = require('./routes');

 const { PORT, HOST, ALLOW_SOCIAL_LOGIN } = process.env ?? {};
@ -60,6 +60,11 @@ const startServer = async () => {
  passport.use(await jwtLogin());
  passport.use(passportLogin());

+  // LDAP Auth
+  if (process.env.LDAP_URL && process.env.LDAP_BIND_DN && process.env.LDAP_USER_SEARCH_BASE) {
+    passport.use(ldapLogin);
+  }
+
  if (isEnabled(ALLOW_SOCIAL_LOGIN)) {
    configureSocialLogins(app);
  }
--- a/api/server/middleware/index.js
+++ b/api/server/middleware/index.js
@ -6,6 +6,7 @@ const setHeaders = require('./setHeaders');
 const loginLimiter = require('./loginLimiter');
 const validateModel = require('./validateModel');
 const requireJwtAuth = require('./requireJwtAuth');
+const requireLdapAuth = require('./requireLdapAuth');
 const uploadLimiters = require('./uploadLimiters');
 const registerLimiter = require('./registerLimiter');
 const messageLimiters = require('./messageLimiters');
@ -29,6 +30,7 @@ module.exports = {
  setHeaders,
  loginLimiter,
  requireJwtAuth,
+  requireLdapAuth,
  registerLimiter,
  requireLocalAuth,
  validateEndpoint,
--- a/api/server/middleware/requireLdapAuth.js
+++ b/api/server/middleware/requireLdapAuth.js
@ -0,0 +1,22 @@
+const passport = require('passport');
+
+const requireLdapAuth = (req, res, next) => {
+  passport.authenticate('ldapauth', (err, user, info) => {
+    if (err) {
+      console.log({
+        title: '(requireLdapAuth) Error at passport.authenticate',
+        parameters: [{ name: 'error', value: err }],
+      });
+      return next(err);
+    }
+    if (!user) {
+      console.log({
+        title: '(requireLdapAuth) Error: No user',
+      });
+      return res.status(422).send(info);
+    }
+    req.user = user;
+    next();
+  })(req, res, next);
+};
+module.exports = requireLdapAuth;
--- a/api/server/routes/tests/config.spec.js
+++ b/api/server/routes/tests/config.spec.js
@ -25,6 +25,11 @@ afterEach(() => {
  delete process.env.DOMAIN_SERVER;
  delete process.env.ALLOW_REGISTRATION;
  delete process.env.ALLOW_SOCIAL_LOGIN;
+  delete process.env.LDAP_URL;
+  delete process.env.LDAP_BIND_DN;
+  delete process.env.LDAP_BIND_CREDENTIALS;
+  delete process.env.LDAP_USER_SEARCH_BASE;
+  delete process.env.LDAP_SEARCH_FILTER;
 });

 //TODO: This works/passes locally but http request tests fail with 404 in CI. Need to figure out why.
@ -50,6 +55,11 @@ describe.skip('GET /', () => {
    process.env.DOMAIN_SERVER = 'http://test-server.com';
    process.env.ALLOW_REGISTRATION = 'true';
    process.env.ALLOW_SOCIAL_LOGIN = 'true';
+    process.env.LDAP_URL = 'Test LDAP URL';
+    process.env.LDAP_BIND_DN = 'Test LDAP Bind DN';
+    process.env.LDAP_BIND_CREDENTIALS = 'Test LDAP Bind Credentials';
+    process.env.LDAP_USER_SEARCH_BASE = 'Test LDAP User Search Base';
+    process.env.LDAP_SEARCH_FILTER = 'Test LDAP Search Filter';

    const response = await request(app).get('/');

@ -64,6 +74,7 @@ describe.skip('GET /', () => {
      openidLoginEnabled: true,
      openidLabel: 'Test OpenID',
      openidImageUrl: 'http://test-server.com',
+      ldapLoginEnabled: true,
      serverDomain: 'http://test-server.com',
      emailLoginEnabled: 'true',
      registrationEnabled: 'true',
--- a/api/server/routes/auth.js
+++ b/api/server/routes/auth.js
@ -12,15 +12,24 @@ const {
  loginLimiter,
  registerLimiter,
  requireJwtAuth,
+  requireLdapAuth,
  requireLocalAuth,
  validateRegistration,
 } = require('../middleware');

 const router = express.Router();

+const ldapAuth =
+  !!process.env.LDAP_URL && !!process.env.LDAP_BIND_DN && !!process.env.LDAP_USER_SEARCH_BASE;
 //Local
 router.post('/logout', requireJwtAuth, logoutController);
-router.post('/login', loginLimiter, checkBan, requireLocalAuth, loginController);
+router.post(
+  '/login',
+  loginLimiter,
+  checkBan,
+  ldapAuth ? requireLdapAuth : requireLocalAuth,
+  loginController,
+);
 router.post('/refresh', refreshController);
 router.post('/register', registerLimiter, checkBan, validateRegistration, registrationController);
 router.post('/requestPasswordReset', resetPasswordRequestController);
--- a/api/server/routes/config.js
+++ b/api/server/routes/config.js
@ -13,6 +13,8 @@ router.get('/', async function (req, res) {
    return today.getMonth() === 1 && today.getDate() === 11;
  };

+  const ldapLoginEnabled =
+    !!process.env.LDAP_URL && !!process.env.LDAP_BIND_DN && !!process.env.LDAP_USER_SEARCH_BASE;
  try {
    /** @type {TStartupConfig} */
    const payload = {
@ -30,9 +32,10 @@ router.get('/', async function (req, res) {
        !!process.env.OPENID_SESSION_SECRET,
      openidLabel: process.env.OPENID_BUTTON_LABEL || 'Continue with OpenID',
      openidImageUrl: process.env.OPENID_IMAGE_URL,
+      ldapLoginEnabled,
      serverDomain: process.env.DOMAIN_SERVER || 'http://localhost:3080',
      emailLoginEnabled,
-      registrationEnabled: isEnabled(process.env.ALLOW_REGISTRATION),
+      registrationEnabled: !ldapLoginEnabled && isEnabled(process.env.ALLOW_REGISTRATION),
      socialLoginEnabled: isEnabled(process.env.ALLOW_SOCIAL_LOGIN),
      emailEnabled:
        (!!process.env.EMAIL_SERVICE || !!process.env.EMAIL_HOST) &&
--- a/api/strategies/index.js
+++ b/api/strategies/index.js
@ -5,6 +5,7 @@ const discordLogin = require('./discordStrategy');
 const facebookLogin = require('./facebookStrategy');
 const setupOpenId = require('./openidStrategy');
 const jwtLogin = require('./jwtStrategy');
+const ldapLogin = require('./ldapStrategy');

 module.exports = {
  passportLogin,
@ -14,4 +15,5 @@ module.exports = {
  jwtLogin,
  facebookLogin,
  setupOpenId,
+  ldapLogin,
 };
--- a/api/strategies/ldapStrategy.js
+++ b/api/strategies/ldapStrategy.js
@ -0,0 +1,67 @@
+const LdapStrategy = require('passport-ldapauth');
+const User = require('~/models/User');
+const fs = require('fs');
+
+const ldapOptions = {
+  server: {
+    url: process.env.LDAP_URL,
+    bindDN: process.env.LDAP_BIND_DN,
+    bindCredentials: process.env.LDAP_BIND_CREDENTIALS,
+    searchBase: process.env.LDAP_USER_SEARCH_BASE,
+    searchFilter: process.env.LDAP_SEARCH_FILTER || 'mail={{username}}',
+    searchAttributes: ['displayName', 'mail', 'uid', 'cn', 'name', 'commonname', 'givenName', 'sn'],
+    ...(process.env.LDAP_CA_CERT_PATH && {
+      tlsOptions: { ca: [fs.readFileSync(process.env.LDAP_CA_CERT_PATH)] },
+    }),
+  },
+  usernameField: 'email',
+  passwordField: 'password',
+};
+
+const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
+  if (!userinfo) {
+    return done(null, false, { message: 'Invalid credentials' });
+  }
+
+  try {
+    const firstName = userinfo.givenName;
+    const familyName = userinfo.surname || userinfo.sn;
+    const fullName =
+      firstName && familyName
+        ? `${firstName} ${familyName}`
+        : userinfo.cn ||
+          userinfo.name ||
+          userinfo.commonname ||
+          userinfo.displayName ||
+          userinfo.mail;
+
+    const username = userinfo.givenName || userinfo.mail;
+    let user = await User.findOne({ email: userinfo.mail });
+    if (user && user.provider !== 'ldap') {
+      return done(null, false, { message: 'Invalid credentials' });
+    }
+    if (!user) {
+      user = new User({
+        provider: 'ldap',
+        ldapId: userinfo.uid,
+        username,
+        email: userinfo.mail || '',
+        emailVerified: true,
+        name: fullName,
+      });
+    } else {
+      user.provider = 'ldap';
+      user.ldapId = userinfo.uid;
+      user.username = username;
+      user.name = fullName;
+    }
+
+    await user.save();
+
+    done(null, user);
+  } catch (err) {
+    done(err);
+  }
+});
+
+module.exports = ldapLogin;