node-ldapauth-fork
node-ldapauth-fork copied to clipboard
vesse
Comma in user dn cause authentication failure.
-
If there's a comma in the user DN, the ldap authentication call fails
-
user DN is of the form ' cn=ray\,rex,dc=example,dc=com'
-
group attribute is the form member : cn=ray\,rex,dc=example,dc=com
-
The program used to test is :
var LdapAuth = require("ldapauth-fork")
const fs = require('fs');
var ldap = new LdapAuth({
url: 'ldap://localhost:10389',
searchBase: 'dc=example,dc=com',
searchFilter: '(uid={{username}})',
groupSearchBase: 'dc=example,dc=com',
groupSearchFilter:'(&(objectclass=*)(member={{dn}}))',
groupSearchScope: 'sub',
groupSearchAttributes: 'cn',
reconnect: false
});
ldap.authenticate('ray', 'password', function(err, user) {
if (err) {
console.log("Authentication error: " + err);
throw err;
return process.exit(2);
}
else
{
console.log("Successful Authentication");
roles = user._groups.map(element => {
return "["+element['dn']+"]"
})
console.log('Successfully authenticated ldap groups dn: ' + roles)
return process.exit(0);
}
});
- Error reported
PS C:\AJAY_WORK\APAR\ACELDAP\ldappgm> node .\ldaptest2.js Authentication error: LoopDetectError: LOOP_DETECT: failed for MessageType : SEARCH_REQUEST Message ID : 2 SearchRequest baseDn : 'dc=example, dc=com' filter : '(&(objectClass=*)(member=cn=ray,rex,dc=example,dc=com))' scope : whole subtree typesOnly : false Size Limit : no limit Time Limit : 10 Deref Aliases : never Deref Aliases attributes : 'cn' org.apache.directory.api.ldap.model.message.SearchRequestImpl@35551da: java.lang.IllegalArgumentException: ERR_13247_INVALID_VALUE_CANT_NORMALIZE Invalid upValue, it cant be normalized
C:\AJAY_WORK\APAR\ACELDAP\ldappgm\ldaptest2.js:18 throw err; ^ LDAPError [LoopDetectError]: LOOP_DETECT: failed for MessageType : SEARCH_REQUEST Message ID : 2 SearchRequest baseDn : 'dc=example, dc=com' filter : '(&(objectClass=)(member=cn=ray,rex,dc=example,dc=com))' scope : whole subtree typesOnly : false Size Limit : no limit Time Limit : 10 Deref Aliases : never Deref Aliases attributes : 'cn' org.apache.directory.api.ldap.model.message.SearchRequestImpl@35551da: java.lang.IllegalArgumentException: ERR_13247_INVALID_VALUE_CANT_NORMALIZE Invalid upValue, it cant be normalized at messageCallback (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\client\client.js:1419:45) at Parser.onMessage (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\client\client.js:1089:14) at Parser.emit (events.js:310:20) at Parser.write (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\messages\parser.js:111:8) at Socket.onData (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\client\client.js:1076:22) at Socket.emit (events.js:310:20) at addChunk (_stream_readable.js:286:12) at readableAddChunk (_stream_readable.js:268:9) at Socket.Readable.push (_stream_readable.js:209:10) at TCP.onStreamRead (internal/stream_base_commons.js:186:23) { lde_message: 'LOOP_DETECT: failed for MessageType : SEARCH_REQUEST\n' + 'Message ID : 2\n' + ' SearchRequest\n' + " baseDn : 'dc=example, dc=com'\n" + " filter : '(&(objectClass=)(member=cn=ray,rex,dc=example,dc=com))'\n" + ' scope : whole subtree\n' + ' typesOnly : false\n' + ' Size Limit : no limit\n' + ' Time Limit : 10\n' + ' Deref Aliases : never Deref Aliases\n' + " attributes : 'cn'\n" + 'org.apache.directory.api.ldap.model.message.SearchRequestImpl@35551da: java.lang.IllegalArgumentException: ERR_13247_INVALID_VALUE_CANT_NORMALIZE Invalid upValue, it cant be normalized', lde_dn: null }
I've worked around this issue myself by providing my own groupSearchFilter function in options, but we need to upgrade to ldapjs v2 to resolve this.
Oh v2 has been released, it was so long in next that I forgot the whole thing. I'll try to remember to bump the deps tomorrow
The current escaping is insufficient. In certain scenarios, this may even be a security issue. See https://ldapwiki.com/wiki/DN%20Escape%20Values and https://tools.ietf.org/search/rfc4515 for some characters that need escaping.
