node-ldapauth-fork icon indicating copy to clipboard operation
node-ldapauth-fork copied to clipboard

'UNABLE_TO_VERIFY_LEAF_SIGNATURE' and MS Active Directory

Open tlcarpenter opened this issue 4 years ago • 0 comments

  • Node.js Version: 12.16.2
  • OS: Windows 10 1909 (OS Build 18363.959)
  • Scope (install, code, runtime, meta, other?): runtime
  • Module (and version) (if relevant): ldapauth-fork (version 4.4.3 - https://www.npmjs.com/package/ldapauth-fork)

Which MS Windows certificate store(s) does the ldapauth-fork module use to verify SSL certificates when using ldaps to bind to a directory service? I tried setting up a bind to our Active Directory domain for MeshCentral2 which uses ldapauth-fork. When MC2 tries to search AD to authenticate a user I see the errors in MC2's log (below). Our AD domain uses round-robin DNS for three domain controllers and I'm guessing this may be the cause of the 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' error. There are copies of our organization's root certs in Windows' "Trusted Root Certification Authorities" and I also tried manually adding exported copies of those to the system's local store. Is ldapauth-fork's default behavior to have the operating system verify a certificate or does ldapauth-fork handle the verification by using some/all Windows' certificate stores itself?

-------- 7/20/2020, 12:04:02 PM ---- 0.5.89 --------

events.js:287 throw er; // Unhandled 'error' event ^

Error: unable to verify the first certificate at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34) at TLSSocket.emit (events.js:310:20) at TLSSocket._finishInit (_tls_wrap.js:917:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12) Emitted 'error' event on LdapAuth instance at: at LdapAuth._handleError (C:\Program Files\Open Source\MeshCentral\node_modules\ldapauth-fork\lib\ldapauth.js:185:8) at Client.emit (events.js:310:20) at Backoff. (C:\Program Files\Open Source\MeshCentral\node_modules\ldapjs\lib\client\client.js:1228:12) at Backoff.emit (events.js:310:20) at Backoff.backoff (C:\Program Files\Open Source\MeshCentral\node_modules\backoff\lib\backoff.js:41:14) at C:\Program Files\Open Source\MeshCentral\node_modules\ldapjs\lib\client\client.js:1214:15 at f (C:\Program Files\Open Source\MeshCentral\node_modules\once\once.js:25:25) at TLSSocket.onResult (C:\Program Files\Open Source\MeshCentral\node_modules\ldapjs\lib\client\client.js:1016:7) at Object.onceWrapper (events.js:417:26) at TLSSocket.emit (events.js:310:20) { code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

tlcarpenter avatar Jul 21 '20 20:07 tlcarpenter