Failed LDAP authentication using passport-ldapauth on Node.js

Question

Hi I'm new to openldap and nodejs. I'm trying to create openldap authentication and use a simple node app to test that authentication against the local ldap server.

My understanding is that I can create the ldap server and add all the users in Apache Directory Studio. Then write a simple node app with the same configuration as the ldap server. Using postman to send the authentication requests, and I should be able to get the authorized results. Pls correct me if I'm wrong.

Below are the steps I took:

I used Apache Directory Studio to set up a ldap server locally.
Then I tried to set up a simple nodejs app (code is shown below).
When I used Postman to send an authentication request with some user that I set up previously using Apache Directory Studio, but I kept getting error Unauthorized.
I believe I can hit the node app with my postman calls, because I am able to get that "Unauthorized" response with a username and password that exists in Apache Studio. But the node app is not working with / hooked up with the Ldap server set up by Apache Directory Studio, because I can change the server fields in the node code to completely different from the ldap server but still able to get the unauthorized response in postman. I probably don't have a full understanding of the ldap servers and maybe the node app and the ldap server are completely separate as is? Or this should work it's just something wrong with my code?

Below is my most recent code:

var express      = require('express'),
    passport     = require('passport'),
    bodyParser   = require('body-parser'),
    LdapStrategy = require('passport-ldapauth'),
    basicAuth = require('basic-auth')

var OPTS = {
  server: {
    url: 'ldap://localhost:389',
    bindDN: 'cn=admin,ou=users,dc=contoso,dc=com',
    bindCredentials: 'P@ss1W0Rd!',
    searchBase: 'ou=users,dc=contoso,dc=com',
    searchFilter: '(uid={{Username}})'
  },
  credentialsLookup: basicAuth
  // ,
  // usernameField: user,
  // passwordField: pass
};

var app = express();

passport.use(new LdapStrategy(OPTS));

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: false}));
app.use(passport.initialize());

app.post('/login', passport.authenticate('ldapauth', {session: false}), function(req, res) {
  res.send({status: 'ok'});
});

app.listen(8080);

Here's the user I have been trying to authenticate:


dn: cn=Aaron Painter,ou=users,dc=contoso,dc=com
objectClass: top
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
cn: Aaron Painter
gidNumber: 70051
homeDirectory: /home/aaronp
sn: Painter
uid: aaronp
uidNumber: 70050
displayName: Aaron Painter
givenName: Aaron
mail: aaronp@contoso.com
manager: cn=Christine Koch,ou=users,dc=contoso,dc=com
telephoneNumber: (212) 555-8335
title: Strategy Consulting Manager
userPassword: AAA

Here's the postman call I used: postman call

Here's the log shown in the server:

contosoOpenLdap | 5d9b8107 conn=1062 fd=19 ACCEPT from IP=172.17.0.1:47712 (IP=0.0.0.0:389)
contosoOpenLdap | 5d9b8107 conn=1063 fd=20 ACCEPT from IP=172.17.0.1:47714 (IP=0.0.0.0:389)
contosoOpenLdap | 5d9b8107 conn=1063 op=0 BIND dn="cn=admin,ou=users,dc=contoso,dc=com" method=128
contosoOpenLdap | 5d9b8107 conn=1063 op=0 RESULT tag=97 err=49 text=
contosoOpenLdap | 5d9b8107 conn=1063 op=1 UNBIND
contosoOpenLdap | 5d9b8107 conn=1063 fd=20 closed

The error code 49 means that there's an incorrect DN or password. But the config seems correct to me.

Pls help thanks.

EricLavault · Accepted Answer · 2019-10-04T12:46:04.333

1

There are 3 things to fix (provided that your credentials are correct) :

The search filter syntax is wrong, you shouldn't pass the password in it
Use a full dn for searchBase (not a rdn)
Either you grab credentials from the request via a credentialsLookup, either you set usernameField and passwordField.

For example, keeping the same username attribute and search base with the proper syntax :

searchBase: 'ou=users,dc=contoso,dc=com',
searchFilter: '(cn={{Username}})'

This should work for authenticating users with the following dn pattern :

cn=<username>,<searchBase>  =>  cn=foo,ou=users,dc=contoso,dc=com

The above is based on your previous config, but one still can't guess what a user dn looks like in your directory without further details. Simply note that manager account (bindDN) and regular users usually don't share the same dn pattern/structure, and the username attribute cn in your filter may be wrong.

That said, it's pretty obvious to determine the dn structure given a user entry dn string, for example if username attribute is uid and user base is located under ou=people :

dn: uid=foo,ou=people,dc=contoso,dc=com
=> searchBase: 'ou=people,dc=contoso,dc=com'
=> searchFilter: '(uid={{Username}})'

Now if you decide to pass credentials via the request body, usernameField and passwordField should be set according to, eg. with the following body { "user": "test", "pass": "test" }, you would set :

    //credentialsLookup: basicAuth,
    usernameField: user,
    passwordField: pass

But if you prefer to set credentials via an authorization header, then you use credentialsLookup with the desired auth type, and set it in the Authorization tab in Postman.

Note that if you set both credentialsLookup and the other two fields, then credentialsLookup wins even if the lookup fails (no fallback possible).

edited Oct 04 '19 at 12:46

answered Oct 03 '19 at 15:46

EricLavault

12,130
3
23
45

Hi Eric thank you so much for your response. I tried your way and it didn't work. I have updated my post to include more details. Basically my current understanding is that I can create the ldap server and add all the users in Apache Directory Studio. Then write a simple node app with the same configuration as the ldap server. Using postman to send the authentication requests, and I should be able to get the authorized results. Pls correct me if I'm wrong. – lhty24 Oct 03 '19 at 18:20
That's right. I edited my answer so you can go further but it would be easier with a sample user entry and logs. – EricLavault Oct 04 '19 at 12:42
Hi Eric thanks again for your quick reply. I have made the changes and though I haven't got it right I think I'm close. I have included more details about what I'm trying to do. From the log it seems it's complaining about bad dn or credential but I couldn't figure out how to fix it. Any ideas? I really appreciate it. – lhty24 Oct 07 '19 at 18:22
Yes this means your binding credentials are wrong.. I suggest you use `[ldapsearch](https://linux.die.net/man/1/ldapsearch)` command to test your ldap settings before anything, it will be much faster to obtain the correct settings - this applies for every use case in which LDAP comes into play - though nobody can guess your credentials, you need to dig into slapd config searching for `rootdn` and `rootpw`. This doesn't change in anyway the answer, consider upvoting/accepting it if you find it helpful, thanks. – EricLavault Oct 08 '19 at 08:36
Here is how you would test your settings, the goal 1. is to test the binding and retrieve an entry to authenticate : `ldapsearch -x -D cn=admin,ou=users,dc=contoso,dc=com -W -b ou=users,dc=contoso,dc=com "(&(cn=Aaron Painter)(objectClass=person))"` – EricLavault Oct 08 '19 at 08:37

Failed LDAP authentication using passport-ldapauth on Node.js

1 Answers1