LDAP Bind Error using node.js and ldapjs

Question

I am trying to implement a basic ldap bind with the following node.js file. Unfortunately, I keep getting a bind error with code 128. I looked online and found no references of code 128. The LDAP server I am trying to search is an eDirectory. Does anyone have any experience with this or have you had similar problems? My node version is v0.10.22 and my ldapjs version is v0.7.1

var ldap = require('ldapjs');

var creds = {
  url: "ldaps://ldap.url.com:636",
  bindDN: "cn=ldap,o=com"
};

var opts = {
  filter: "(cn=username)",
  scope: "sub"
};

function authDN(client, dn, password, cb) {
  client.bind(dn, password, function (err) {
    client.unbind();
    cb(err === null, err);
  });
}

function output(res, err) {
  if (res) {
    console.log('success');
  } else {
    console.log(['Error',err.code, err.dn, err.message ]);
  }
}

var client = ldap.createClient(creds);

authDN(client, '(cn=username)', 'password', output);

Answer 1

This authenticates when i added the following to the top of my file:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

I haven't researched enough to know why this works but I found this answer here: https://github.com/mikeal/request/issues/418

Answer 2

In general when debugging an eDirectory issue, ask for access to iMonitor, so you can look at DStrace with the +LDAP option. That would show you what the LDAP server is sending back, making troubleshooting easier.

Answer 3

To augment Kaiser's answer, an explanation on why adding process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; to the code may work is found at the top of this link: https://github.com/visionmedia/superagent/issues/205.

Potential fixes:

• Add process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0; to the top of your script for node v0.10.x (and above)
• Setup a trusted CA certificate on the server instead of a self-signed certificate (must have server admin rights and pay for a valid cert)
• Use the LDAP server IP or load balancer IP instead of dns for the url parameter.

Because you are using the secure protocol (ldaps:// instead of ldap://), and I'm assuming you are trying to connect to a server with a self-signed certificate, you will get a failure if using node v0.10.x (and probably all later versions as well) and the code/module you are using doesn't specifically set the process.env.NODE_TLS_REJECT_UNAUTHORIZED to false.

NODE_TLS_REJECT_UNAUTHORIZED was changed to true by default for a reason. If you choose to set NODE_TLS_REJECT_UNAUTHORIZED to false, you are opening up more security risks, and I would advise only doing this on private networks at best, and never in production environments. Without going down a security discussion rabbit hole, it's always best to use a cert signed by a CA. More info on the differences on certs can be found here. This can also cause problems if your application is robust enough to make multiple connections to various secured servers where only some use self signed certs, again mentioned in this link.

If the cert wasn't self-signed, you most likely shouldn't be getting this error, so another potential fix is to setup and use a trusted CA Certificate on the LDAP server instead.

On the other hand, if you are using a normal, non-secure ldap connection (not through TLS), and/or you get this error only occasionally while other times it goes through, you should try setting the ldap url to the LDAP server IP or load balancer IP (and use port 3268 to allow searching in all domains). In larger network setups this will avoid potential round robin dns queries that sometimes point you to a slow server or one you can't route to.