🔒 feature(auth): LDAP Authentication (#2859)

* 🔧 chore: npm install passport-ldapauth * ✨ feat(auth): add ldap authentication support * chore: merge conflict fix --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2025-12-21 02:40:14 +01:00 · 2024-05-29 14:46:20 -07:00 · 2024-05-29 14:46:20 -07:00 · a618266905
commit a618266905
parent d5a7806e32
14 changed files with 303 additions and 3 deletions
--- a/api/strategies/ldapStrategy.js
+++ b/api/strategies/ldapStrategy.js
@ -0,0 +1,67 @@
+const LdapStrategy = require('passport-ldapauth');
+const User = require('~/models/User');
+const fs = require('fs');
+
+const ldapOptions = {
+  server: {
+    url: process.env.LDAP_URL,
+    bindDN: process.env.LDAP_BIND_DN,
+    bindCredentials: process.env.LDAP_BIND_CREDENTIALS,
+    searchBase: process.env.LDAP_USER_SEARCH_BASE,
+    searchFilter: process.env.LDAP_SEARCH_FILTER || 'mail={{username}}',
+    searchAttributes: ['displayName', 'mail', 'uid', 'cn', 'name', 'commonname', 'givenName', 'sn'],
+    ...(process.env.LDAP_CA_CERT_PATH && {
+      tlsOptions: { ca: [fs.readFileSync(process.env.LDAP_CA_CERT_PATH)] },
+    }),
+  },
+  usernameField: 'email',
+  passwordField: 'password',
+};
+
+const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
+  if (!userinfo) {
+    return done(null, false, { message: 'Invalid credentials' });
+  }
+
+  try {
+    const firstName = userinfo.givenName;
+    const familyName = userinfo.surname || userinfo.sn;
+    const fullName =
+      firstName && familyName
+        ? `${firstName} ${familyName}`
+        : userinfo.cn ||
+          userinfo.name ||
+          userinfo.commonname ||
+          userinfo.displayName ||
+          userinfo.mail;
+
+    const username = userinfo.givenName || userinfo.mail;
+    let user = await User.findOne({ email: userinfo.mail });
+    if (user && user.provider !== 'ldap') {
+      return done(null, false, { message: 'Invalid credentials' });
+    }
+    if (!user) {
+      user = new User({
+        provider: 'ldap',
+        ldapId: userinfo.uid,
+        username,
+        email: userinfo.mail || '',
+        emailVerified: true,
+        name: fullName,
+      });
+    } else {
+      user.provider = 'ldap';
+      user.ldapId = userinfo.uid;
+      user.username = username;
+      user.name = fullName;
+    }
+
+    await user.save();
+
+    done(null, user);
+  } catch (err) {
+    done(err);
+  }
+});
+
+module.exports = ldapLogin;