Created
April 24, 2017 19:09
-
-
Save Wsiegenthaler/1874384ca2877af43acf5794c6767101 to your computer and use it in GitHub Desktop.
ActiveDirectory Account Locked/Disabled/Expired
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var ActiveDirectory = require('activedirectory'); | |
| var ldap = require('ldapjs'); | |
| var lo = require('lodash'); | |
| var Promise = require('bluebird'); | |
| var ad = Promise.promisifyAll(new ActiveDirectory(...)); | |
| var userAccountFlags = [ | |
| { name: 'SCRIPT', code: 0x0001 }, | |
| { name: 'ACCOUNTDISABLE', code: 0x0002 }, | |
| { name: 'HOMEDIR_REQUIRED', code: 0x0008 }, | |
| { name: 'LOCKOUT', code: 0x0010 }, | |
| { name: 'PASSWD_NOTREQD', code: 0x0020 }, | |
| { name: 'PASSWD_CANT_CHANGE', code: 0x0040 }, | |
| { name: 'ENCRYPTED_TEXT_PWD_ALLOWED', code: 0x0080 }, | |
| { name: 'TEMP_DUPLICATE_ACCOUNT', code: 0x0100 }, | |
| { name: 'NORMAL_ACCOUNT', code: 0x0200 }, | |
| { name: 'INTERDOMAIN_TRUST_ACCOUNT', code: 0x0800 }, | |
| { name: 'WORKSTATION_TRUST_ACCOUNT', code: 0x1000 }, | |
| { name: 'SERVER_TRUST_ACCOUNT', code: 0x2000 }, | |
| { name: 'DONT_EXPIRE_PASSWORD', code: 0x10000 }, | |
| { name: 'MNS_LOGON_ACCOUNT', code: 0x20000 }, | |
| { name: 'SMARTCARD_REQUIRED', code: 0x40000 }, | |
| { name: 'TRUSTED_FOR_DELEGATION', code: 0x80000 }, | |
| { name: 'NOT_DELEGATED', code: 0x100000 }, | |
| { name: 'USE_DES_KEY_ONLY', code: 0x200000 }, | |
| { name: 'DONT_REQ_PREAUTH', code: 0x400000 }, | |
| { name: 'PASSWORD_EXPIRED', code: 0x800000 }, | |
| { name: 'TRUSTED_TO_AUTH_FOR_DELEGATION', code: 0x1000000 }, | |
| { name: 'PARTIAL_SECRETS_ACCOUNT', code: 0x04000000 } ]; | |
| var getCodeFor = lo.memoize(flag => (lo.find(userAccountFlags, f => f.name === flag) || { code: 0x0000 }).code); | |
| var flagged = (user, flag) => getCodeFor(flag) & Number.parseInt(user.userAccountControl || 0x0000); | |
| var authenticate = (username, password) => { | |
| return ad.findUserAsync(adOpts, username).then(user => { | |
| if (!user) throw new InvalidAccount(username); | |
| if (flagged(user, 'ACCOUNTDISABLE')) throw new AccountDisabled(username); | |
| if (flagged(user, 'LOCKOUT')) throw new AccountLocked(username); | |
| if (flagged(user, 'PASSWORD_EXPIRED')) throw new PasswordExpired(username); | |
| return ad.authenticateAsync(username, password).then(auth => user) | |
| .catchThrow(ldap.InvalidCredentialsError, new InvalidCredentials(username)) | |
| }).catch(ldap.ConnectionError, e => { | |
| throw new DirectoryOffline(e); | |
| }).catch(e => { | |
| throw new AuthenticationError(e); | |
| }) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment