Virtual-LDAP is a service used to bridge any other account services to the LDAP protocol. With Virtual-LDAP, you can use existing account services (such as DingTalk) as an authorization service for many open source projects.
Virtual-LDAP has a provider architecture, so you can extend it with a custom provider to support any other account service, such as a database-based account service.
Virtual-LDAP is not a complete implementation of LDAP and currently only supports partial binding, search, and modification requests. All directory groups and users will be obtained from the provider.
The database used for Virtual-LDAP is used to store user passwords. Passwords will be hashed using SHA256 plus a salt value.
Virtual-LDAP using JavaScript to configure all settings, include DN, admins, database, provider and custom groups.
For every configuration items, see example config file below.
module.exports = {
ldap: {
// LDAP serve port, it is a insecure port, please connect with ldap://
listenPort: 1389,
// Base DN will be o=Example,dc=example,dc=com
// Groups base DN will be ou=Groups,o=Example,dc=example,dc=com
// Users base DN will be ou=People,o=Example,dc=example,dc=com
rootDN: 'dc=example,dc=com',
organization: 'Example',
// Default password for ldap user, Random password will be generated if not set
userPassword: 'userPass',
// Cronjob for sync from dingtalk(default every hour)
cronJob: '0 0 * * * *',
// Timezone for cronjob(default UTC+8 GMT+8 Asia/Shanghai China Standard Time)
timeZone: 'Asia/Shanghai',
// Admins who can search or modify directory
admins: [
{
// Bind DN will be cn=keycloak,dc=example,dc=com
commonName: 'keycloak',
password: 'keycloak',
// Can this admin modify user's password
canModifyEntry: true,
},
{
commonName: 'jenkins',
password: 'jenkins',
canModifyEntry: false,
},
]
},
// Database for storing users' password
database: {
type: 'mysql',
host: '127.0.0.1',
port: '23306',
user: 'root',
password: '123456',
database: 'vldap',
},
// Provider for providen account service, Create Apps by https://open-dev.dingtalk.com/fe/app#/corp/app
provider: {
name: 'dingtalk',
appKey: '__APPKEY__',
appSecret: '__APPSECRET__',
},
// Custom groups, base DN will be ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com
customGroups: [
{
// DN will be ou=Jenkins Admins,ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com
name: 'Jenkins Admins',
// User with these mails will be added to the group
members: [ '[email protected]' ],
}
]
}钉钉开放后台 -> 应用开发 -> 企业内部应用 -> 钉钉应用 -> 创建应用(类型:小程序,开发方式:企业自主研发)
基础信息 -> 应用信息 -> Copy AppKey and AppSecret
基础信息 -> 权限管理 -> 通讯录管理 -> grant readonly permission
For Virtual-LDAP using the above configuration file, the commonly used DNs are as follows.
Root DN
dc=example,dc=com
Search Directory Bind DN
cn=keycloak,dc=example,dc=com
Groups Base DN
ou=Groups,o=Example,dc=example,dc=com
Users Base DN
ou=People,o=Example,dc=example,dc=com
Custom Groups Base DN
ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com
Jenkins Admins DN
ou=Jenkins Admins,ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com
Typical User DN
[email protected],ou=People,o=Example,dc=example,dc=com
Typical User DN (Feishu)
samaccountname=user,ou=People,o=Example,dc=example,dc=com
Feishu provider parses enterprise email field, and if user has an enterprise email, the username of mail address will be used as sAMAccountName, otherwise the full mail address will be used.
Virtual-LDAP can run from source or run as a service in another project.
git clone https://github.com/ohdarling/virtual-ldap
cd virtual-ldap
npm startconst server = require('virtual-ldap');
server.setupVirtualLDAPServer(require("./config"));
server.runVirtualLDAPServer();MIT License