Finds user with wrong password

[gothian]

if you have a user with password "Qwerty1" and send a password that is lets say "Qwerty1yidgfsdkfsdk" it will still return your user as long as you have your password first in the string.

[vesse]

passport-ldapauth just passes the password to ldapauth-fork which uses the password only for LDAP bind. If bind does not return an error then the user object is returned, but that is something these libraries are not in control of. I don't see how this could happen apart from you having pretty unsecure LDAP server, or a bug in ldapjs which I doubt.

[gothian]

I'm not that good at ldap so it might be so. but have you tried it in your environment and confirmed that it's not the case ? it might be ldapauth-fork that has a bug or just me who cannot config ldap server right 😛

[vesse]

Try eg. this test server

var opts = {
  "url": "ldap://ldap.forumsys.com:389",
  "bindDn": "cn=read-only-admin,dc=example,dc=com",
  "bindPassword": "password",
  "searchBase": "dc=example,dc=com",
  "searchFilter": "(uid={{username}})"
}

var a = new LdapAuth(opts);

// Correct password for riemann is "password"
a.authenticate('riemann', 'passwordxxx', function(err, user) {
  console.log(err, user);
  a.close();
});

You can also test your server with ldapsearch and see how it handles the password by binding with the DN of that user with Qwerty1 for password. Using the example server and the example user riemann this would be:

ldapsearch \
  -H ldap://ldap.forumsys.com:389 \
  -x \
  -D uid=riemann,dc=example,dc=com \
  -w password \
  -b dc=example,dc=com \
  "(uid=riemann)"

Now if you set the password here to passwordxxx, the LDAP server returns ldap_bind: Invalid credentials (49)

[gothian]

I have tested you test code and looks like it works well and my "bug" cannot be reproduced. Looks like it is my ldap server that works crapy thanks for the help I found what it was wrong. in my LDAP server, my users had crypt as password cryptograph. I changed it to SHA and now it work as it suppose to do :)