Auth0 AD and LDAP connector
JavaScript CSS HTML PowerShell Other
Latest commit 0d3fda6 Jun 14, 2018
Permalink
Failed to load latest commit information.
admin Update form.ejs (#113) Apr 25, 2018
bin minor Sep 30, 2016
certs minor remove sample cert Oct 8, 2013
connector-setup fix troubleshooter issue with thumbprint Jun 14, 2018
installer exclude config.json.enc from the installer Mar 28, 2017
lib parseInt LDAP_NUMBER_OF_PARALLEL_BINDS May 9, 2018
public fix typo on installer banner Feb 18, 2016
test fix broken test May 22, 2018
views fix login page Oct 10, 2014
.gitignore fix add_certs on windows (#116) May 9, 2018
.jshintrc allow configuring the certs through env vars instead of files Mar 8, 2016
.travis.yml Update to node v8 (#114) Apr 23, 2018
CENTOS.md Adds support for custom CA in linux.Closes #41 Sep 16, 2016
LICENSE.rtf add license in rtf format for wix Feb 5, 2015
LICENSE.txt add license in rtf format for wix Feb 5, 2015
README.md Updated dependencies to fix snyk reports May 12, 2017
config.json.enc encrypt config.json Jan 18, 2018
endpoints.js Improve the troubleshooting of a kerberos deployment Apr 7, 2016
eventlog.js Merge branch 'custom-ca-linux' of https://github.com/CriGoT/ad-ldap-c… Jan 11, 2017
latency_test.js improve logs in windows Oct 31, 2014
npm-shrinkwrap.json 4.1.2 Jun 14, 2018
package.json 4.1.2 Jun 14, 2018
server.js adds option to use anonymous search when the directory supports it Aug 25, 2017
troubleshoot.cmd Troubleshooting tool Apr 8, 2015
troubleshoot.js fix troubleshooter issue with thumbprint Jun 14, 2018
update-connector.cmd Added update support to dashboard May 20, 2015
update-connector.ps1 Added update support to dashboard May 20, 2015
ws_validator.js Add password write-back (#105) Jan 18, 2018

README.md

Build Status

Auth0 AD/LDAP Connector

The AD/LDAP Connector (1), is a bridge between your Active Directory (2) and the Auth0 Service (3). It runs on Windows, Mac and Linux. This bridge is necessary because AD is typically locked down to your internal network, and Auth0 is as cloud service running on a completely different context.

You can install multiple instances of the connector for high availability and load balancing. Also, all connections are out-bound: from the connector to the Auth0 Server, so in general no changes to the firewall need to be applied.

Configuring an AD/LDAP connection in Auth0 requires two simple steps:

###1. Creating an AD/LDAP Connection in Auth0

The first step is creating a new Connection on the dashboard:

Connections > Enterprise > AD/LDAP

Name the connection and check whether you want Kerberos enabled for this connection. If you enable this, you need to enter the range of IP addresses from where Kerberos authentication will be enabled. These would typically be the intranet where Kerberos would work.

Save the configuration. You are done on the Auth0 side! You will then be prompted to download the AD/LDAP Connector on your machine.

We ship different versions of the Connector to install it on multiple platforms: Windows, Linux and OS X

Keep the TICKET URL at hand as you will need it later.

###2. Installing the AD/LDAP Connector

Auth0 AD LDAP Connector Setup (Windows Agent)

On Windows, the Connector is packaged as a standard installer file (MSI). Run it on the machine you want to install it and follow the installation wizard:

The AD/LDAP Connector in Windows is installed as a Service:

Once the installation is complete, you will see the following screen on a browser (notice that the browser is opening a page on the local machine).

Enter the TICKET URL that was generated in Step 1.

The Ticket URL uniquely identifies this connector in Auth0. Don't share it with anyone. The Connector will use this to communicate with Auth0 Server and automatically complete the configuration.

If successful, the next screen will allow you to enter your Active Directory connection parameters. Namely:

  • The LDAP Connection String (this is the network location of the server)
  • The Base DN
  • A Username and a Password

These are credentials used by the AD/LDAP Connector to authenticate itself with AD.

##3. Testing your new Active Directory/LDAP connection

Go back to your Auth0 Dashboard and you should see a green dot next to your Connection definition:

This signals that the AD/LDAP Connector is online and working. Click in Try to test the entire flow. If you configured Kerberos and testing this inside your network, your login will happen automatically.

If you didn't configure Kerberos or you are outside your intranet you will be prompted for credentials. After successful authentication you should see the test screen showing the user profile:

Notice the User profile includes the Groups a user belongs to in AD. This will include any nested groups (flattened list).

##4. High availability

High availability is achieved through multiple instances of the connector running simultaneously.

  1. Install the connector on the first machine and follow all the steps. Once you have the connection running with only one agent move to the next step.
  2. In the AD LDAP configuratino page click on Import / Export and then click Export. Keep a copy of the zip file.
  3. Install the connector on the second machine, when the browser opens and requests entering the Ticket URL, click on Import / Export.
  4. In the Import section select the file you downloaded from the first machine and click Upload.
  5. Repeat from step 3 to 4 for every node you want to configure.

Running behind a proxy

We discourage running the connector behind an http proxy.

If you still want to try it out behind a proxy you need an environment variable http_proxy or HTTP_PROXY set to http://my-proxy:8080.

Troubleshooting

If you always get invalid username or password, try to search a profile by password with the following command:

node -e "require('./lib/initConf'); var Users = require('./lib/users'); var users = new Users(); users._queue.push(function(){users.getByUserName('the-username-you-are-trying', function (err, user) { console.log(user); } ); });"

By default the connector search using this query LDAP (sAMAccountName={0}), you can override this in the config.json file:

	"LDAP_USER_BY_NAME": "(cn={0})",

If you get "Invalid Ticket" when configuring the connector for the first time, the most likely cause is a network issue (e.g. connector behind a proxy). Try connecting to https://{your tenant}.auth0.com/testall with a browser other than IE.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.