0

My company has a ldap server, I try to test the ldap connection using nodejs with ldapjs module, I just want to test the connection at the first place, so no search function is included.

here is the code:

exports.authenticate = function(req, res){
  var ldap = require('ldapjs');
  var username = req.body.username;
  var password = req.body.password;

  var client = ldap.createClient({
    url: 'LDAP://192.168.3.220/'
  });

  client.bind(username, password, function (err) {
    if(err){
      res.send(err);
    }else{
      res.send('login');        
  });
};

when I input correct username and password, it sends back "login", which is expected. when I input correct username but wrong password, it sends back the err object, which is also expected.

here is the problem: when I input valid username or invalid username (such as "fjdkfjdklsjfsjd") without password, it also sends back "login", which is abnormal.

I am new to ldap and ldapjs, so it might be just a simple mistake but I could not figure it out. Please help....

Improve this question

2 Answers 2

Reset to default
3

For binding, you need to pass the dn and the password associated to an entry in the LDAP, not directly the username / password.

So make a basic anonymous search, grab the dn from the result and then try a bind with that dn and the password the user entered.

var ldapres = null

var opts = {
  filter: '(username='+ username +')',
  scope: 'sub',
}

client.search('ou=people,dc=company,dc=com', opts, function (err, result) {

  result.on('searchEntry', function (entry) {
    ldapres = entry.raw
  })

  result.on('end', function (result) {
    if (!ldapres) { return res.send('Invalid username') }

    client.bind(ldapres.dn, password, function (err) {
      if (err) { return res.send('Wrong password') }
      res.send('You are logged')
    })

  })
})

I assume you want to target the attribute username in your LDAP, but you can change it, same as the ou and dc fields of the search.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It's after a long time But hopefully, this will help someone.

"here is the problem: when I input valid username or invalid username (such as "fjdkfjdklsjfsjd") without password, it also sends back "login", which is abnormal."

No, There is something called "anonymous" bind in LDAP. Which allows you to bind without a password. So why?. The reason is to Search in LDAP you need to BIND first, so instead of using a dedicated user for search operations, some prefer the anonymous bind. so for this reason only, the anonymous bind should be used.

IMPORTANT

Therefore when you user LDAP you need to handle both empty password and empty DN scenarios from the developer side instead of passing it to the LDAP server

P.S: In some directory services, this could be turned off

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.