Skip to content
This repository was archived by the owner on Mar 31, 2025. It is now read-only.
This repository was archived by the owner on Mar 31, 2025. It is now read-only.

Is LDAP client implementation missing scope setting? #2

Open
Open
Is LDAP client implementation missing scope setting?#2
@anarion80

Description

@anarion80
anarion80
opened on Aug 16, 2022

Hello,

I have setup Release Bell in my own environment using docker. Everything is up and running, but I can't login using LDAP.

=> Create database.json
=> Run db-migration
Ignoring invalid configuration option passed to Connection: driver. This is currently a warning, but in future versions of MySQL2, an error will be thrown if you pass an invalid configuration option to a Connection
[INFO] No migrations to run
[INFO] Done
=> Start application
Can send emails. Email notifications are sent out as releasebell@anarion.pl
Use ldap auth
Server is up and running on port 3000

I have the following env (actual domain removed):

CLOUDRON_APP_ORIGIN = example.com
CLOUDRON_LDAP_BIND_DN = cn=admin,dc=example,dc=com
CLOUDRON_LDAP_BIND_PASSWORD = password
CLOUDRON_LDAP_URL = ldap://openldap:1389
CLOUDRON_LDAP_USERS_BASE_DN = ou=users,dc=example,dc=com
CLOUDRON_MYSQL_DATABASE = releasebell
CLOUDRON_MYSQL_HOST = mariadb
CLOUDRON_MYSQL_PASSWORD = password
CLOUDRON_MYSQL_PORT = 3306
CLOUDRON_MYSQL_USERNAME = releasebell

when I enter username and password though, I get 401 and "Invalid username or password" message.

At that time my LDAP server is showing:

BIND dn="cn=admin,dc=example,dc=com" method=128
BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE bind_ssf=0 ssf=0
RESULT tag=97 err=0 qtime=0.000027 etime=0.000272 text=
SRCH base="ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(uid=anarion)(mail=anarion)(?username=anarion)(?sAMAccountName=anarion))"
SEARCH RESULT tag=101 err=0 qtime=0.000019 etime=0.000192 nentries=0 text=

so 0 entries/results.

when I do the same using ldapsearch command, I get:

BIND dn="cn=admin,dc=example,dc=com" method=128
BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE bind_ssf=0 ssf=0
RESULT tag=97 err=0 qtime=0.000031 etime=0.000507 text=
SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(|(uid=anarion)(mail=anarion)(?username=anarion)(?sAMAccountName=anarion))"
RESULT tag=101 err=0 qtime=0.000045 etime=0.000888 nentries=1 text=

So the user is found. The only difference is scope.

In your code you seem to be using the default, which is base (or 0) link:
ldapClient.search(process.env.CLOUDRON_LDAP_USERS_BASE_DN, { filter: filter }, function (error, result)
while ldapsearch command by default uses sub which is wholeSubtree.

I think that we can't really search for users in a tree using base, as that's only the level of base DN.
Can you consider adding the scope attribute there?

Or how are you using LDAP otherwise?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions