All geek questions in one place

LDAP binding error using node.js and ldapjs

I am trying to implement a basic ldap binding with the following node.js. Unfortunately, I continue to receive a binding error with code 128. I looked online and did not find any links to code 128. The LDAP server I'm trying to execute is eDirectory. Does anyone have experience with this or have you had similar problems? My version is node v0.10.22 and my version is ldapjs v0.7.1

var ldap = require('ldapjs'); var creds = { url: "ldaps://ldap.url.com:636", bindDN: "cn=ldap,o=com" }; var opts = { filter: "(cn=username)", scope: "sub" }; function authDN(client, dn, password, cb) { client.bind(dn, password, function (err) { client.unbind(); cb(err === null, err); }); } function output(res, err) { if (res) { console.log('success'); } else { console.log(['Error',err.code, err.dn, err.message ]); } } var client = ldap.createClient(creds); authDN(client, '(cn=username)', 'password', output);
+6
source share
3 answers

This authenticates when I added the following to the top of my file:

 process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

I have not researched enough to know why this works, but I found this answer here: https://github.com/mikeal/request/issues/418

+5
source

In general, when debugging an eDirectory problem, please contact iMonitor, so you can look at DStrace with the + LDAP option. This will show you what the LDAP server is sending back, simplifying troubleshooting.

+1
source

To increase Kaiser's answer, explain why adding process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; The code can work, located at the top of this link: https://github.com/visionmedia/superagent/issues/205 .

Possible fixes:

  • Add process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0; to the beginning of your script for node v0.10.x (and higher)
  • Configure a trusted CA certificate on the server instead of a self-signed certificate (must have server administrator rights and pay for a valid certificate)
  • Use the LDAP server IP or load balancing IP instead of dns for the url parameter.

Since you are using a secure protocol (ldaps: // instead of ldap: //), and I assume that you are trying to connect to a server with a self-signed certificate, you will get a failure if you use node v0.10.x (and possibly more later versions), as well as the code / module you are using, does not specifically set process.env.NODE_TLS_REJECT_UNAUTHORIZED to false.

NODE_TLS_REJECT_UNAUTHORIZED was changed to true by default. If you decide to set NODE_TLS_REJECT_UNAUTHORIZED to false, you will open up more security risks, and I would advise you to do this only on private networks at best , and never in production environments. Without going down a rabbit hole in security, it is always better to use a certificate signed by the CA. More information on the differences in certificates can be found here . It can also cause problems if your application is robust enough to make multiple connections to various secure servers, where only some use the self-signed certificates mentioned again in this link .

If the certificate was not signed on its own, you probably should not receive this error, so another potential solution is to install and use a trusted CA certificate on the LDAP server.

On the other hand, if you use the normal, insecure ldap connection (and not through TLS) and / or receive this error only occasionally, while at another time it passes, you should try setting ldap-url for the LDAP IP address - server or IP load balancer (and use port 3268 to allow searches in all domains ). In larger network settings, this will prevent potential round-robin DNS queries that sometimes point to a slow server or one that you cannot go to.

0
source

Source: https://habr.com/ru/post/973466/

More articles:


All Articles