search

jeremycx / node-LDAP

LDAP binding for node.js
MIT License
221 stars 43 forks source link

Close? #78

Closed carrotcomputer closed 9 years ago

carrotcomputer commented 9 years ago

Hi,

Firstly - great framework. Most others assume a lot of LDAP knowledge to which I have very little (at an engineering level!) and i've been able to do what has taken hours of work in the others.

I have successfully implemented findandbind with our AD server, but we are using this as part of an authentication call for our Mobile App API. All we need to do is verify that they can authenticate against the server and then find their user in our own database.

Once this is done, is there any way to close the connection? Or does this just happen once connecttimeout expires? If not, what happens if I call the exact same findandbind a second or third time? Right now, I get an "Operations Error" and have to manually restart the node app

Thanks in advance!

jeremycx commented 9 years ago

I think you're running into problems because a bound connection (as a user) can't actually search the directory, due to server side view permissions. That's not a use case I considered (but it's a valid and very sensible configuration for your AD server - just different from how I do it).

So, when the previous user is done findandbind(), the connection is left in a state where it is still bound as that previous user, and then the find() part of findandbind() fails.

So, yeah, you could close() and reopen (though I haven't completed the close() code yet). This creates a new connection for every user you auth - not very efficient, especially if you're using TLS.

What I think I'm going to do is:

If you request a findandbind, the module will create a second connection, and use the initial connection for the find() portion, and only use the second connection for the bind() attempts. The find() connection will use the primary connection (which is likely to be bound as cn=admin or something "admin-ish") and the second connection will just do it's thing doing bind attempts.

So that makes a marked difference between findandbind() and bind() -- bind() will actually bind the primary connection, where findandbind() will leave it alone.

Watch for the above in the next couple of days.

I'm a little worried about the "Operations Error" though -- I don't see that on my openLDAP installation if I bind twice as the same user. Can you do some testing and just be 100% sure this is an issue for AD?

jeremycx commented 9 years ago

OK, well, actually that was pretty easy (ignoring that I still don't have close() finished). Documenting and committing now.

jeremycx commented 9 years ago

All committed. Closing.