Authentication error from Active Directory with Express.js

huangapple
go评论57阅读模式
英文:

Authentication error from Active Directory with Express.js

问题

I am using the activedirectory module to authenticate users with AD. I have had no issues with most users, but for users in one particular OU, authentication is constantly failing.
Here's the code I'm using

.env

ldap_url = "ldap://mydomain.local"
baseDN = "DC=mydomain, DC=local"
ad_bind_user = "bind-user@mydomain.local"
ad_bind_user_password = "Password Placeholder"

login.js

const express = require('express');
const ActiveDirectory = require('activedirectory');
const router = express.Router();

const config = {
  url: process.env.ldap_url,
  baseDN: process.env.baseDN,
  username: process.env.ad_bind_user,
  password: process.env.ad_bind_user_password
};

const ad = new ActiveDirectory(config);

router.post('/api/login', (req, res) => {
    const username = req.body.username;
    const password = req.body.password;

    ad.authenticate(username, password, (error, auth) => {
        if (error) {
            return res.status(500).send(error);
        }
        if (auth) {
            req.session.user = { 
                username: username,
                authenticated: true
            };
            return res.json(req.session.user);
        }
        else {
            return res.status(401).send('Unauthorized User');
        }
    });
});

For users other than a particular Users OU, I am able to authenticate successfully. However, for accounts in the Users OU, authentication fails with the below error

{
    "lde_message":"80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580",
    "lde_dn": null
}

For users in this OU, if I provide the username with the domain, I am able to authenticate successfully, i.e., when the username is testuser it doesn't work, but when the username is testuser@mydomain.local it works just fine.

I also created another route to get the user details, and there is no difference in the output for any parameter, i.e., users in both OUs have completely identical parameters.

Here's the code I used to get the user details

router.get('/api/getusers', (req, res) => {
    const username = req.body.username;

    ad.findUser(username, (error, auth) => {
        if (error) {
            return res.status(500).send(error);
        }
        if (auth) {
            return res.json(auth);
        }
    });
});

I don't seem to understand why the code expects the domain only for that particular OU in the authenticate function when it's successfully able to find the user with the findUser function without the need for the domain. How can I get around this?

英文:

I am using the activedirectory module to authenticate users with AD. I have had no issues with most users, but for users in one particular OU, authentication is constantly failing.
Here's the code I'm using

.env

ldap_url = "ldap://mydomain.local"
baseDN = "DC=mydomain, DC=local"
ad_bind_user = "bind-user@mydomain.local"
ad_bind_user_password = "Password Placeholder"

login.js

const express = require('express');
    const ActiveDirectory = require('activedirectory');
    const router = express.Router();

    const config = {
      url: process.env.ldap_url,
      baseDN: process.env.baseDN,
      username: process.env.ad_bind_user,
      password: process.env.ad_bind_user_password
    };

    const ad = new ActiveDirectory(config);

    router.post('/api/login', (req, res) => {
    const username = req.body.username;
    const password = req.body.password;

    ad.authenticate(username, password, (error, auth) => {
        if (error) {
            return res.status(500).send(error);
        }
        if (auth) {
            req.session.user = { 
                username: username,
                authenticated: true
            };
            return res.json(req.session.user);
        }
        else {
            return res.status(401).send('Unauthorized User');
        }
    });
});

For users other than a particular Users OU, I am able to authenticate successfully. However for accounts in the Users OU, authentication fails with the below error

{
    "lde_message":"80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580",
    "lde_dn": null
}

For users in this OU, if I provide the username with the domain, I am able to authenticate successfully, i.e. when the username is testuser it doesn't work, but when the username is testuser@mydomain.local it works just fine.

I also created another route to get the user details and there is no difference in the output for any parameter, i.e. Users in both OU have completely identical parameters

Here's the code I used to get the user details

router.get('/api/getusers', (req, res) => {
    const username = req.body.username;

    ad.findUser(username, (error, auth) => {
        if (error) {
            return res.status(500).send(error);
        }
        if (auth) {
            return res.json(auth);
        }
    });
});

I don't seem to understand why the code expects the domain only for that particular OU in the authenticate function when its successfully able to find the user with the findUser function without the need of the domain?
How can I get around this?

答案1

得分: 1

以下是已翻译的代码部分:

我无法理解为什么只有authenticate函数在没有域的情况下查找用户时出现问题因此我修改了login.js以将域添加到用户名变量虽然不是最优雅的方法但它有效)。以下是修改后的脚本

const express = require('express');
const ActiveDirectory = require('activedirectory');
const router = express.Router();

const config = {
  url: process.env.ldap_url,
  baseDN: process.env.baseDN,
  username: process.env.ad_bind_user,
  password: process.env.ad_bind_user_password
};

const ad = new ActiveDirectory(config);

router.post('/api/login', (req, res) => {
  const username = req.body.username;
  const password = req.body.password;

  ad.authenticate(username + '@mydomain.local', password, (error, auth) => {
    if (error) {
      return res.status(500).send(error);
    }
    if (auth) {
      req.session.user = { 
        username: username,
        authenticated: true
      };
      return res.json(req.session.user);
    }
    else {
      return res.status(401).send('Unauthorized User');
    }
  });
});
英文:

I wasn't able to get past as to why, only the authenticate function has problems looking up the users without the domain. So I modified login.js to add the domain to the username variable (Not the most elegant, but it works). Here is the modified script.

const express = require('express');
const ActiveDirectory = require('activedirectory');
const router = express.Router();

const config = {
  url: process.env.ldap_url,
  baseDN: process.env.baseDN,
  username: process.env.ad_bind_user,
  password: process.env.ad_bind_user_password
};

const ad = new ActiveDirectory(config);

router.post('/api/login', (req, res) => {
const username = req.body.username;
const password = req.body.password;

ad.authenticate(username + '@mydomain.local', password, (error, auth) => {
    if (error) {
        return res.status(500).send(error);
    }
    if (auth) {
        req.session.user = { 
            username: username,
            authenticated: true
        };
        return res.json(req.session.user);
    }
    else {
        return res.status(401).send('Unauthorized User');
    }
});
});

huangapple
  • 本文由 发表于 2023年4月13日 19:08:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/76004722.html
  • active-directory
  • express
  • node.js
  • npm
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定