search

auth0 / passport-windowsauth

Windows Authentication strategy for Passport.js
MIT License
178 stars 54 forks source link

"Non-integrated authentication" example / integration not working #52

Open Mika83AC opened 7 years ago

Mika83AC commented 7 years ago

Hello everyone,

I'm trying to get the non-integrated authentication example to work, but I'm still failing.

So i tried some different approaches and found https://www.npmjs.com/package/activedirectory which is working fine for me. Here is the relevant snippet from my activedirectory implementation:

router.post('/', function (req, res) {
   console.log('received login request');

   var ad = new ActiveDirectory({
      url: 'ldap://xxx..xom',
      baseDN: 'dc=xxx,dc=com',
      username: req.body.username_reader + '@xxx.com', // user allowed to read the AD
      password: req.body.password_reader
   });

   ad.authenticate(req.body.username_login + '@xxx.com', // user to login in
            req.body.password_login, 
            function(err, isAuthenticated) {
      if(err) throw err;
      if(isAuthenticated) {
         console.log('Authenticated!');
      } else {
         console.log('Failed to authenticate');
      }
   });
});

This works fine and the username_login user gets authenticated.

Now I'm trying the "same" with passport-windowsauth and I'm failing. There returns no error, but also nothing else ever happens. The app gets lost in the passport.use and function(profile, done) never gets called:

router.post('/', function (req, res) {
   console.log('received login request');

   passport.use(new WindowsStrategy({
      ldap: {
         url: 'ldap://xxx.com/dc=xxx,dc=com',
         base: 'dc=xxx,dc=com',
         bindDN: req.body.username_reader + '@xxx.com',
         bindCredentials: req.body.password_reader
      },
      integrated: false
   }, function(profile, done){
      console.log('Authenticated!');
   }));
});

Where is my mistake, I'm stuck figuring it out on my own ...

Regards, Michael

cjmyles commented 7 years ago

This works for me:

passport.use(new WindowsStrategy({
  ldap: {
    url: 'ldap://xxx.com',
    base: 'DC=xxx,DC=com',
    bindDN: 'user@domain'
    bindCredentials: 'password'
  }
}, function(profile, done){
  console.log('Authenticated!');
}));
Mika83AC commented 7 years ago

As it is working for you, there seems to be a different implementation for accessing the AD than for example "activedirectory" is using, which is working for me.

Which library is passport-windowsauth using for accessing the AD?

cjmyles commented 7 years ago

Just one thing worth trying @Mika83AC - try removing the integrated: false line and see what happens. I'm sure this was causing issues for me too.

Mika83AC commented 7 years ago

Hm... makes no difference for me. The AD request runs forever, no timeout, no error, the callback of new WindowsStrategy() gets never called.

As passport-windowsauth is using ldapjs as well as activedirectory, it has to be an issue inside the passport-windowsauth implementation I guess. Both use the same LDAP lib, but the outcome is different.

AdrianRodriguezLlave commented 6 years ago

LDAP use distinguishedName for authentication. The BindDN must be distinguisedName. ActiveDirectory use sAMAccountName for authentication.

@cjmyles maybe this example works because the server allow anonymous authentication.

I've been several days trying to understand how LDAP works for auth and i did not find a way to direct authetication with sAMAccountName. There is way if you find the distinguisedName with a search but you need to authenticate first with a Service Account (an account that you create to read values). So you need to auth 2 times, first with service account, find the DN, then auth with this DN and passowrd.