SudoSOS Back-end API / authentication / LDAPAuthenticator
Class: LDAPAuthenticator ​
The LDAP Authenticator is used to authenticate users using LDAP. This process contains some design decisions that are highlighted below.
LDAP Authentication Flow ​
- User sends a request to the
/authentication/LDAPendpoint. - Authentication Controller (AC) uses a bind user and bind password to establish a connection to the LDAP server.
- AC searches for the user in the LDAP server.
- AC attempts to bind the user to the LDAP server.
- AC returns a
403 Forbiddenerror if the user is not found, or the password is incorrect. - AC returns a
200 OKresponse if the user is found in the LDAP server and the bind succeeds.
If a user can log in but does not have a bound account in SudoSOS, one will be created and bound (see AuthenticationService#LDAPAuthentication). Accounts are bounded using the objectGUID of the AD user, which will be saved and stored in the database using the LDAPAuthenticator entity. This UUID is the source of "truth" for which AD account a user is bound to. In the future, this should remain as the source of truth. For example, it should override any linked ids.
The following flowchart shows the LDAP authentication process.
Extends ​
Constructors ​
Constructor ​
new LDAPAuthenticator(): LDAPAuthenticator;Returns ​
LDAPAuthenticator
Inherited from ​
AuthenticationMethod.constructor
Properties ​
| Property | Modifier | Type | Description | Inherited from |
|---|---|---|---|---|
createdAt | readonly | Date | The creation date of the object. | AuthenticationMethod.createdAt |
updatedAt | readonly | Date | The last update date of the object. | AuthenticationMethod.updatedAt |
user | public | User | - | AuthenticationMethod.user |
userId | public | number | - | AuthenticationMethod.userId |
UUID | public | Buffer | - | - |
version | readonly | number | The current version of the object. | AuthenticationMethod.version |