got Unauthorized message but ldapsearch work
WillieOng-HK opened this issue · comments
Problem Description
I got Unauthorized message but ldapsearch work, the testing LDAP server is Windows server 2012
I can get
ldapsearch -x -H ldap://192.168.168.145:389 -b DC=abc,DC=local -D CN=Administrator,CN=Users,DC=abc,DC=local -w Abcd1234!
# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=abc,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Users, abc.local
dn: CN=Users,DC=abc,DC=local
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=abc,DC=local
instanceType: 4
whenCreated: 20200227040203.0Z
whenChanged: 20200227040203.0Z
uSNCreated: 5821
...
Steps to Reproduce
but when I try to use passport-ldap
config.passportLdap = {
server: {
url: "ldap://192.168.168.145:389",
bindDN: "CN=Administrator,CN=Users,DC=abc,DC=local",
bindCredentials: "Abcd1234!",
searchBase: "DC=abc,DC=local"
// searchAttributes: ["displayName", "mail"],
// searchFilter: "(uid={{username}})"
}
got error message
2020-03-02 16:41:29,727 WARN 5595 [-/::1/-/3216ms POST /passport/ldap] nodejs.AuthenticationError: Unauthorized
at allFailed (/Users/Code/nodejs/gspj22/server/node_modules/passport/lib/middleware/authenticate.js:159:21)
at attempt (/Users/Code/nodejs/gspj22/server/node_modules/passport/lib/middleware/authenticate.js:167:28)
at Strategy.strategy.fail (/Users/Code/nodejs/gspj22/server/node_modules/passport/lib/middleware/authenticate.js:284:9)
at Strategy.<anonymous> (/Users/Code/nodejs/gspj22/server/node_modules/passport-ldapauth/lib/passport-ldapauth/strategy.js:297:21)
at /Users/Code/nodejs/gspj22/server/node_modules/ldapauth-fork/lib/ldapauth.js:405:14
at /Users/Code/nodejs/gspj22/server/node_modules/ldapauth-fork/lib/ldapauth.js:335:14
at EventEmitter.<anonymous> (/Users/Code/nodejs/gspj22/server/node_modules/ldapauth-fork/lib/ldapauth.js:281:16)
at EventEmitter.emit (events.js:210:5)
at sendResult (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1389:22)
at messageCallback (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1421:16)
at Parser.onMessage (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1089:14)
at Parser.emit (events.js:210:5)
at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:111:8)
at end (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:66:19)
at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:112:10)
at end (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:66:19)
at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:112:10)
at end (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:66:19)
at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:112:10)
at Socket.onData (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1076:22)
at Socket.emit (events.js:210:5)
at addChunk (_stream_readable.js:309:12)
name: "AuthenticationError"
message: "Unauthorized"
status: 401
pid: 5595
Are the users allowed to log onto the ldap server (in my case the domain controller)?
See my issue: #92
It appears that the only way to authenticate by ldap is giving the users permission to log on to the server. It appears that this library impersonates the user and tries to log on as a way to verify the credentials.
In the stack overflow response appears to be the key:
https://stackoverflow.com/questions/21439030/passport-active-directory-node-js/30611120#30611120
Use the DN of the search result, together with user provided password, and bind against the LDAP server. This verifies the password.
Not much I can do about that as the LDAP connection is handled by ldapjs. They had released a new major version which I've taken into use in version 3.0.0. Maybe retry with the latest version.