7

I am trying to implement a basic ldap bind with the following node.js file. Unfortunately, I keep getting a bind error with code 128. I looked online and found no references of code 128. The LDAP server I am trying to search is an eDirectory. Does anyone have any experience with this or have you had similar problems? My node version is v0.10.22 and my ldapjs version is v0.7.1

var ldap = require('ldapjs');

var creds = {
  url: "ldaps://ldap.url.com:636",
  bindDN: "cn=ldap,o=com"
};

var opts = {
  filter: "(cn=username)",
  scope: "sub"
};

function authDN(client, dn, password, cb) {
  client.bind(dn, password, function (err) {
    client.unbind();
    cb(err === null, err);
  });
}

function output(res, err) {
  if (res) {
    console.log('success');
  } else {
    console.log(['Error',err.code, err.dn, err.message ]);
  }
}

var client = ldap.createClient(creds);

authDN(client, '(cn=username)', 'password', output);
Improve this question
6
  • 3
    LDAP can be an absolute nightmare to get working. My recommendation is to get the authentication working with a LDAP client tool first, then go back to your code. Otherwise you'll spend a lot of time changing code when it's the config that needs some tweaks. Commented Aug 7, 2014 at 0:15
  • My configurations are correct. It is failing at the bind part with the server on a secure LDAP port. I can search the user on a non secure port but when i try to search for the user on a secure port it gives me error 128. Commented Aug 7, 2014 at 21:38
  • I don't see call 'bind' method Commented Sep 18, 2014 at 12:53
  • I have added the bind method. I still get the same error. Commented Sep 19, 2014 at 15:39
  • Can you look at the eDirectory server logs to see if there is more information on the error 128? Commented Sep 25, 2014 at 8:54

3 Answers 3

Reset to default
7

This authenticates when i added the following to the top of my file:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

I haven't researched enough to know why this works but I found this answer here: https://github.com/mikeal/request/issues/418

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

In general when debugging an eDirectory issue, ask for access to iMonitor, so you can look at DStrace with the +LDAP option. That would show you what the LDAP server is sending back, making troubleshooting easier.

Improve this answer

Comments

0

To augment Kaiser's answer, an explanation on why adding process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; to the code may work is found at the top of this link: https://github.com/visionmedia/superagent/issues/205.

Potential fixes:

  • Add process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0; to the top of your script for node v0.10.x (and above)
  • Setup a trusted CA certificate on the server instead of a self-signed certificate (must have server admin rights and pay for a valid cert)
  • Use the LDAP server IP or load balancer IP instead of dns for the url parameter.

Because you are using the secure protocol (ldaps:// instead of ldap://), and I'm assuming you are trying to connect to a server with a self-signed certificate, you will get a failure if using node v0.10.x (and probably all later versions as well) and the code/module you are using doesn't specifically set the process.env.NODE_TLS_REJECT_UNAUTHORIZED to false.

NODE_TLS_REJECT_UNAUTHORIZED was changed to true by default for a reason. If you choose to set NODE_TLS_REJECT_UNAUTHORIZED to false, you are opening up more security risks, and I would advise only doing this on private networks at best, and never in production environments. Without going down a security discussion rabbit hole, it's always best to use a cert signed by a CA. More info on the differences on certs can be found here. This can also cause problems if your application is robust enough to make multiple connections to various secured servers where only some use self signed certs, again mentioned in this link.

If the cert wasn't self-signed, you most likely shouldn't be getting this error, so another potential fix is to setup and use a trusted CA Certificate on the LDAP server instead.

On the other hand, if you are using a normal, non-secure ldap connection (not through TLS), and/or you get this error only occasionally while other times it goes through, you should try setting the ldap url to the LDAP server IP or load balancer IP (and use port 3268 to allow searching in all domains). In larger network setups this will avoid potential round robin dns queries that sometimes point you to a slow server or one you can't route to.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.