search

shaozi / ldap-authentication

🔐🔐🔐 A simple Nodejs Async LDAP authentication library
BSD 2-Clause "Simplified" License
109 stars 28 forks source link

TLS-Error messages should be passed along #44

Open a-gold opened 1 year ago

a-gold commented 1 year ago

Hi,

today I went through a tough debugging session due to meaningless error messages.

The scenario: I was only able to connect to a new domain controller via LDAPS from my local machine (running OsX). My debian server however isn't able to connect and throws the following error message:

admin: {
    "code": "UNSPECIFIED"
}

Pretty expressive! :D

After checking credentials, environment vars, certificates, several server logs, network configuration / firewall traffic, etc. I copied the complete sourcecode of this project and added logging messages till I finally got the cause:

EE certificate key too weak

My colleague who set up the domain controller used a certificate with a keylength of 1024 bit - which is obviously bad. I guess OsX is handling this less strict than debian. (Well, it could also be caused by the env-var NODE_ENV=production on the debian machine. I don't know that detail for sure.) (I look forward that it will work as soon as my colleague replaces the certificate.)

Nevertheless I'd prefer if the error messages thrown inside the client.on-callbacks in the _ldapBind function would be passed along somehow.

client.on('timeout', (err) => {
      reject(err);
    });
    client.on('connectTimeout', (err) => {
      reject(err);
    });
    client.on('error', (err) => {
      // Could print the meaningful error message here
      reject(err);
    });

    client.on('connectError', function (error) {
      if (error) {
        // And here
        reject(error);
        return;
      }
    });

Thanks and have a nice day! :)

shaozi commented 1 year ago

Very detailed information. Thanks! I would like to add the details of the error. Can you let me know how did you get the error: EE certificate key too weak? Which part of the code has this information? I think my code direct rejects with ldapjs's error message and pass that all the way out. which is vague. Where did you get the more specific error message?

a-gold commented 1 year ago

Hi,

I could print the meaningful errors within these client.on-callbacks inside the _ldapBind function:

client.on('error', (err) => {
    // HERE
    reject(err);
}

and inside 

client.on('connectError', (error) => {
      if (error) {
        // AND HERE
        reject(error);
        return;
      }
}

As I said unfortunately it wasn't passed - or it might be overwritten later.

shaozi commented 1 year ago

hmm... I tried different errors and all of them are passed to the caller as is. I don't think the error has a message field before the reject, but lost it afterwards.

It is only my guess, that your first error output may be incomplete since the error code is unspecified. But if you print the error the same way as you log the error while you are debugging, it should have more detailed information.

shaozi commented 1 year ago

I will set up an environment with 1024 bit key to try it out

a-gold commented 1 year ago

Hm, I actually just logged the error variables err / error to the console EE certificate key too weak was the full message..

We replaced the certificate inbetween and it's working now, so unfortunately I can't provide more information.