Merge pull request #32 from shaozi/feature-29

allow return selected attributes of user details

LICENSE

@@ -1,6 +1,6 @@
 BSD 2-Clause License
 
-Copyright (c) 2021, shaozi
+Copyright (c) 2022, shaozi
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

README.md

@@ -9,7 +9,7 @@ Make authentication with an LDAP server easy.
 
 ## Description
 
-This library use `ldapjs` as the underneath library. It has two modes of authentications:
+This library use `ldapjs` as the underneath library. It has three modes of authentications:
 
 1. **Admin authenticate mode**. If an admin user is provided, the library will login (ldap bind) with the admin user,
    then search for the user to be authenticated, get its DN (distinguish name), then use
@@ -24,7 +24,7 @@ This library use `ldapjs` as the underneath library. It has two modes of authent
    then does a search on the user and return the user's details.
 
 3. **Verify user exists**. If an `verifyUserExists : true` is provided, the library will login (ldap bind) with the admin user,
-      then search for the user to be verified. If the user exists, user details will be returned (without verifying the user's password).
+   then search for the user to be verified. If the user exists, user details will be returned (without verifying the user's password).
 
 ## Features
 
@@ -67,6 +67,7 @@ let authenticated = await authenticate({
   userSearchBase: 'dc=example,dc=com',
   usernameAttribute: 'uid',
   username: 'gauss',
+  attributes: ['dn', 'sn', 'cn'],
 })
 ```
 
@@ -76,7 +77,7 @@ let authenticated = await authenticate({
 let authenticated = await authenticate({
   ldapOpts: { url: 'ldap://ldap.forumsys.com' },
   userDn: 'uid=gauss,dc=example,dc=com',
-  verifyUserExists : true,
+  verifyUserExists: true,
   userSearchBase: 'dc=example,dc=com',
   usernameAttribute: 'uid',
   username: 'gauss',
@@ -156,7 +157,7 @@ auth()
 - `userDn`: The DN of the user to be authenticated. This is only needed if `adminDn` and `adminPassword` are not provided.
   Example: `uid=gauss,dc=example,dc=com`
 - `userPassword`: The password of the user
--  `verifyUserExists` : if `true` user existence will be verified without password
+- `verifyUserExists` : if `true` user existence will be verified without password
 - `userSearchBase`: The ldap base DN to search the user. Example: `dc=example,dc=com`
 - `usernameAttribute`: The ldap search equality attribute name corresponding to the user's username.
   It will be used with the value in `username` to construct an ldap filter as `({attribute}={username})`
@@ -168,6 +169,8 @@ auth()
 - `username`: The username to authenticate with. It is used together with the name in `usernameAttribute`
   to construct an ldap filter as `({attribute}={username})`
   to find the user and get user details in LDAP. Example: `some user input`
+- `attributes`: A list of attributes of a user details to be returned from the LDAP server.
+  If is set to `[]` or ommited, all details will be returned. Example: `['sn', 'cn']`
 - `starttls`: Boolean. Use `STARTTLS` or not
 - `groupsSearchBase`: if specified with groupClass, will serve as search base for authenticated user groups
 - `groupClass`: if specified with groupsSearchBase, will be used as objectClass in search filter for authenticated user groups

index.d.ts

@@ -21,12 +21,13 @@ declare module 'ldap-authentication' {
     groupMemberAttribute?: string
     groupMemberUserAttribute?: string
     userPassword?: string
+    attributes?: string[]
   }
-  
+
   export function authenticate(options: AuthenticationOptions): Promise<any>
-  
+
   export class LdapAuthenticationError extends Error {
     constructor(message: any)
     name: string
-  }  
+  }
 }

index.js

@@ -35,74 +35,75 @@ function _ldapBind(dn, password, starttls, ldapOpts) {
           resolve(client)
         })
       }
-    });
+    })
 
     //Fix for issue https://github.com/shaozi/ldap-authentication/issues/13
     client.on('timeout', (err) => {
-      reject(err);
-    });
+      reject(err)
+    })
     client.on('connectTimeout', (err) => {
-      reject(err);
-    });
+      reject(err)
+    })
     client.on('error', (err) => {
-      reject(err);
-    });
+      reject(err)
+    })
 
-    client.on('connectError', function(error){
+    client.on('connectError', function (error) {
       if (error) {
         reject(error)
         return
       }
-    });
-
-  });
+    })
+  })
 }
 
 // search a user and return the object
 async function _searchUser(
   ldapClient,
   searchBase,
   usernameAttribute,
-  username
+  username,
+  attributes = null
 ) {
   return new Promise(function (resolve, reject) {
     var filter = new ldap.filters.EqualityFilter({
       attribute: usernameAttribute,
       value: username,
     })
-    ldapClient.search(
-      searchBase,
-      {
-        filter: filter,
-        scope: 'sub',
-      },
-      function (err, res) {
-        var user = null
-        if (err) {
-          reject(err)
-          ldapClient.unbind()
-          return
-        }
-        res.on('searchEntry', function (entry) {
-          user = entry.object
-        })
-        res.on('searchReference', function (referral) {
-          console.log('referral: ' + referral.uris.join())
-        })
-        res.on('error', function (err) {
-          reject(err)
-          ldapClient.unbind()
-        })
-        res.on('end', function (result) {
-          if (result.status != 0) {
-            reject(new Error('ldap search status is not 0, search failed'))
-          } else {
-            resolve(user)
-          }
-          ldapClient.unbind()
-        })
+    let searchOptions = {
+      filter: filter,
+      scope: 'sub',
+      attributes: attributes,
+    }
+    if (attributes) {
+      searchOptions.attributes = attributes
+    }
+    ldapClient.search(searchBase, searchOptions, function (err, res) {
+      var user = null
+      if (err) {
+        reject(err)
+        ldapClient.unbind()
+        return
       }
-    )
+      res.on('searchEntry', function (entry) {
+        user = entry.object
+      })
+      res.on('searchReference', function (referral) {
+        console.log('referral: ' + referral.uris.join())
+      })
+      res.on('error', function (err) {
+        reject(err)
+        ldapClient.unbind()
+      })
+      res.on('end', function (result) {
+        if (result.status != 0) {
+          reject(new Error('ldap search status is not 0, search failed'))
+        } else {
+          resolve(user)
+        }
+        ldapClient.unbind()
+      })
+    })
   })
 }
 
@@ -164,7 +165,8 @@ async function authenticateWithAdmin(
   groupsSearchBase,
   groupClass,
   groupMemberAttribute = 'member',
-  groupMemberUserAttribute
+  groupMemberUserAttribute = 'dn',
+  attributes = null
 ) {
   var ldapAdminClient
   try {
@@ -181,7 +183,8 @@ async function authenticateWithAdmin(
     ldapAdminClient,
     userSearchBase,
     usernameAttribute,
-    username
+    username,
+    attributes
   )
   ldapAdminClient.unbind()
   if (!user || !user.dn) {
@@ -237,7 +240,8 @@ async function authenticateWithUser(
   groupsSearchBase,
   groupClass,
   groupMemberAttribute = 'member',
-  groupMemberUserAttribute
+  groupMemberUserAttribute = 'dn',
+  attributes = null
 ) {
   let ldapUserClient
   try {
@@ -254,7 +258,8 @@ async function authenticateWithUser(
     ldapUserClient,
     userSearchBase,
     usernameAttribute,
-    username
+    username,
+    attributes
   )
   if (!user || !user.dn) {
     ldapOpts.log &&
@@ -297,7 +302,8 @@ async function verifyUserExists(
   groupsSearchBase,
   groupClass,
   groupMemberAttribute = 'member',
-  groupMemberUserAttribute
+  groupMemberUserAttribute = 'dn',
+  attributes = null
 ) {
   var ldapAdminClient
   try {
@@ -314,7 +320,8 @@ async function verifyUserExists(
     ldapAdminClient,
     userSearchBase,
     usernameAttribute,
-    username
+    username,
+    attributes
   )
   ldapAdminClient.unbind()
   if (!user || !user.dn) {
@@ -406,7 +413,8 @@ async function authenticate(options) {
       options.groupsSearchBase,
       options.groupClass,
       options.groupMemberAttribute,
-      options.groupMemberUserAttribute
+      options.groupMemberUserAttribute,
+      options.attributes
     )
   }
   assert(options.userDn, 'adminDn/adminPassword OR userDn must be provided')
@@ -421,7 +429,8 @@ async function authenticate(options) {
     options.groupsSearchBase,
     options.groupClass,
     options.groupMemberAttribute,
-    options.groupMemberUserAttribute
+    options.groupMemberUserAttribute,
+    options.attributes
   )
 }