Starting with Verdaccio >= 6.1, we are facing the issue, that the allow constraints on packages do not seem to work any longer, when you authenticate via LDAP. The user is authenticated correctly against our LDAP server, but the specified packages in the configuration are not visible to him. When we change the constraint access: $authenticated to access: $all the packages are listed as expected. It seems that Verdaccio does not consider the LDAP user as authenticated, but I have no idea why, because the user is logged in correctly. The issue occurs with Verdaccio >= 6.1, with the latest 6.0 release, which is currently version 6.0.5, this plugin works as expected.
Does Verdaccio 6.1 require a different plugin configuration or is there an incompatibility issue between this plugin and the latest Verdaccio release?
This is our Verdaccio configuration:
# path to a directory with all packages
storage: /verdaccio/storage/data
web:
# WebUI is enabled as default, if you want disable it, just uncomment this line
enable: true
title: mycompany node-registry
primary_color: '#00538c'
auth:
ldap:
type: ldap
cache:
# max credentials to cache (default to 100 if cache is enabled)
size: 100
# cache expiration in seconds (default to 300 if cache is enabled)
expire: 300
client_options:
url: '***REMOVED SENSITIVE VALUE***'
# Only required if you need auth to bind
adminDn: '***REMOVED SENSITIVE VALUE***'
adminPassword: '***REMOVED SENSITIVE VALUE***'
# Search base for users
searchBase: '***REMOVED SENSITIVE VALUE***'
searchFilter: '(&(ObjectClass=user)(sAMAccountName={{username}}))'
# If you are using groups, this is also needed
groupDnProperty: 'cn'
groupSearchBase: '***REMOVED SENSITIVE VALUE***'
# If you have memberOf support on your ldap
searchAttributes: []
# Else, if you don't (use one or the other):
# groupSearchFilter: '(memberUid={{dn}})'
# Optional
reconnect: true
tlsOptions:
rejectUnauthorized: false
# a list of other known repositories we can talk to
uplinks:
npmjs:
url: 'https://registry.npmjs.org/'
agent_options:
keepAlive: true
maxSockets: 40
maxFreeSockets: 10
packages:
'@mycompany/node-reg-info':
access: $all
publish:
- myuser
'@mycompany/*':
# scoped packages
access: $authenticated
publish:
- myuser
'test-node':
access: $authenticated
publish:
- myuser
'**':
# allow all users (including non-authenticated users) to read and
# publish all packages
#
# you can specify usernames/groupnames (depending on your auth plugin)
# and three keywords: "$all", "$anonymous", "$authenticated"
#access: $all
access: $authenticated
# allow all known users to publish packages
# (anyone can register by default, remember?)
publish: N0nE
# if package is not available locally, proxy requests to 'npmjs' registry
proxy: npmjs
security:
api:
migrateToSecureLegacySignature: true
i18n:
web: de-DE
http_proxy: 'http://proxy.mycompany.de:3128'
https_proxy: 'http://proxy.mycompany.de:3128'
no_proxy: '127.0.0.1,10.208.0.0/16,10.212.0.0/16,localhost,.mycompany.de,.local,.svc'
# To use `npm audit` uncomment the following section
middlewares:
audit:
enabled: true
openmetrics:
enabled: true
collect_runtime: true
collect_database: true
collect_up: true
# log settings
log:
type: stdout
format: pretty-timestamped
level: debug
Starting with Verdaccio >= 6.1, we are facing the issue, that the allow constraints on packages do not seem to work any longer, when you authenticate via LDAP. The user is authenticated correctly against our LDAP server, but the specified packages in the configuration are not visible to him. When we change the constraint
access: $authenticatedtoaccess: $allthe packages are listed as expected. It seems that Verdaccio does not consider the LDAP user as authenticated, but I have no idea why, because the user is logged in correctly. The issue occurs with Verdaccio >= 6.1, with the latest 6.0 release, which is currently version 6.0.5, this plugin works as expected.Does Verdaccio 6.1 require a different plugin configuration or is there an incompatibility issue between this plugin and the latest Verdaccio release?
This is our Verdaccio configuration: