search

vesse / passport-ldapauth

LDAP authentication strategy for Passport
MIT License
312 stars 100 forks source link

got Unauthorized message but ldapsearch work #98

Closed WillieOng-HK closed 3 years ago

WillieOng-HK commented 4 years ago

Problem Description

I got Unauthorized message but ldapsearch work, the testing LDAP server is Windows server 2012

I can get ldapsearch -x -H ldap://192.168.168.145:389 -b DC=abc,DC=local -D CN=Administrator,CN=Users,DC=abc,DC=local -w Abcd1234!

# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=abc,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Users, abc.local
dn: CN=Users,DC=abc,DC=local
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=abc,DC=local
instanceType: 4
whenCreated: 20200227040203.0Z
whenChanged: 20200227040203.0Z
uSNCreated: 5821
...

Steps to Reproduce

but when I try to use passport-ldap

config.passportLdap = {
    server: {
      url: "ldap://192.168.168.145:389",
      bindDN: "CN=Administrator,CN=Users,DC=abc,DC=local",
      bindCredentials: "Abcd1234!",
      searchBase: "DC=abc,DC=local"
      // searchAttributes: ["displayName", "mail"],
      // searchFilter: "(uid={{username}})"
    }

got error message 

2020-03-02 16:41:29,727 WARN 5595 [-/::1/-/3216ms POST /passport/ldap] nodejs.AuthenticationError: Unauthorized
    at allFailed (/Users/Code/nodejs/gspj22/server/node_modules/passport/lib/middleware/authenticate.js:159:21)
    at attempt (/Users/Code/nodejs/gspj22/server/node_modules/passport/lib/middleware/authenticate.js:167:28)
    at Strategy.strategy.fail (/Users/Code/nodejs/gspj22/server/node_modules/passport/lib/middleware/authenticate.js:284:9)
    at Strategy.<anonymous> (/Users/Code/nodejs/gspj22/server/node_modules/passport-ldapauth/lib/passport-ldapauth/strategy.js:297:21)
    at /Users/Code/nodejs/gspj22/server/node_modules/ldapauth-fork/lib/ldapauth.js:405:14
    at /Users/Code/nodejs/gspj22/server/node_modules/ldapauth-fork/lib/ldapauth.js:335:14
    at EventEmitter.<anonymous> (/Users/Code/nodejs/gspj22/server/node_modules/ldapauth-fork/lib/ldapauth.js:281:16)
    at EventEmitter.emit (events.js:210:5)
    at sendResult (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1389:22)
    at messageCallback (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1421:16)
    at Parser.onMessage (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1089:14)
    at Parser.emit (events.js:210:5)
    at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:111:8)
    at end (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:66:19)
    at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:112:10)
    at end (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:66:19)
    at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:112:10)
    at end (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:66:19)
    at Parser.write (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/messages/parser.js:112:10)
    at Socket.onData (/Users/Code/nodejs/gspj22/server/node_modules/ldapjs/lib/client/client.js:1076:22)
    at Socket.emit (events.js:210:5)
    at addChunk (_stream_readable.js:309:12)
name: "AuthenticationError"
message: "Unauthorized"
status: 401
pid: 5595
MarkusRissmann commented 4 years ago

Are the users allowed to log onto the ldap server (in my case the domain controller)? See my issue: https://github.com/vesse/passport-ldapauth/issues/92

It appears that the only way to authenticate by ldap is giving the users permission to log on to the server. It appears that this library impersonates the user and tries to log on as a way to verify the credentials.

In the stack overflow response appears to be the key: https://stackoverflow.com/questions/21439030/passport-active-directory-node-js/30611120#30611120

Use the DN of the search result, together with user provided password, and bind against the LDAP server. This verifies the password.

vesse commented 3 years ago

Not much I can do about that as the LDAP connection is handled by ldapjs. They had released a new major version which I've taken into use in version 3.0.0. Maybe retry with the latest version.