How to get the LDAP OU of the user using node / passport?

I'm working on LDAP authentication / authorization flow in my Node.js app, and need to retrieve the OU to which a given user belongs.

The following code get me the user, but when I inspect it, I do not see the OU:

var express = require('express'),     passport = require('passport'),     bodyParser = require('body-parser'),     LdapStrategy = require('passport-ldapauth');  var opts = {     server: {         url: 'ldap://ldap.forumsys.com:389',             // Host + port         bindDn: 'cn=read-only-admin,dc=example,dc=com',  // user DN         bindCredentials: 'password',                     // Password         searchBase: 'dc=example,dc=com',                 // Base DN         searchFilter: '(uid={{username}})'     } };  var app = express();  passport.use(new LdapStrategy(opts, function(user, done){     done(null, user); }));  app.use(bodyParser.json()); app.use(bodyParser.urlencoded({extended: false})); app.use(passport.initialize());  app.post('/login', passport.authenticate('ldapauth', {session: false}), function(req, res) {     var ou = req.user.distinguishedName;     res.send({status: 'Hello ' + req.user.uid}); });  app.listen(8998); 

Given this code, what is the proper way to retrieve the OU?

2 Answers

Answers 1

The issue is the LDAP server, not your code. If run against an Active Directory server, your code will return the full path to the object.

I tested both against your online test server, and an AD server.

From the comments on the forumsys site, it seems that to get the OU you would need to query the OU objects themselves for members. I don't think this is standard in most LDAP setups.

In this particular LDAP setup, the OUs are of type groupOfUniqueNames. Because of this, membership in the group is determined by the uniqueMember attributes that are present with each OU. To determine a user’s OU membership, you would have to scan each of the OUs and find a uniqueMember attribute containing the DN of the user you are looking for.

If you wish to look at this for yourself, please use Apache Directory Studio and the information provided above to review the setup.

Answers 2

You can retrieve OU using member, memberof or distinguishedName search criteria supplying a specific user's DN in the query which should resolve this.

From your code:

User's DN is:

cn=read-only-admin,dc=example,dc=com 

So, your search filter can be, memeber=user's DN or distinguishedName=user's DN:

searchFilter: '(member = {{cn=read-only-admin,dc=example,dc=com}})'  searchFilter: '(distingushedName = {{cn=read-only-admin,dc=example,dc=com}})' 

Don't have an LDAP AD to test the code but this should work.

If You Enjoyed This, Take 5 Seconds To Share It

• Facebook
• Twitter
• Google+
• StumbleUpon
• Digg
• Delicious
• LinkedIn
• Reddit
• Technorati