针对来自节点的Active Directory进行间歇性身份验证 [英] Intermittent Authentication Against Active Directory from Node

问题描述

我正在尝试建立一个网站，公司的员工可以在该网站上输入Windows Domain凭据来登录.我正在运行一个如下所示的Express后端:

I'm trying to build a website where employees at my company can enter their Windows Domain credentials to log in. I am running an Express backend that looks like this:

const express = require('express');
const bodyParser = require('body-parser');
const passport = require('passport');
const LdapStrategy = require('passport-ldapauth');

// initialize server
const app = express();
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
    extended: false,
}));

// initialize passport
app.use(passport.initialize());

// define Active Directory connection settings
const getOptions = (request, callback) => {
    process.nextTick(() => {
        const username = request.query.username;
        const password = request.query.password;
        const options = {
            server: {
                url: 'LDAP://internal.mycompany.com',
                bindDN: username + '@internal.mycompany.com',
                bindCredentials: password,
                searchBase: 'DC=internal,DC=mycompany,DC=com',
                searchFilter: '(samaccountname=' + username + ')',
            },
        };
        callback(null, options);
    });
};

// register passport
passport.use(new LdapStrategy(getOptions));

// respond to GET requests with authentication
app.get('/ldap', passport.authenticate('ldapauth', {session: false}), (request, response) => {
    response.setHeader('ContentType', 'application/json');
    response.send(JSON.stringify({
        success: true,
    }));
});

// run server on port 3001
app.listen(3001, () => {
    console.log('Express server running on port 3001.');
});

我在网络浏览器中输入 http://localhost:3001/ldap?username = myusername& password = mypassword ，并且得到 3个不同响应之一.

I enter http://localhost:3001/ldap?username=myusername&password=mypassword into my web browser, and I get one of 3 different responses.

答复A:

{"success":true}

这表明一切都按计划进行.伟大的.大约有20％的时间会发生这种情况.

This indicates that everything worked as planned. Great. This happens roughly 20% of the time.

响应B:

Error: connect ECONNREFUSED 10.11.10.165:389
    at Object._errnoException (util.js:1022:11)
    at _exceptionWithHostPort (util.js:1044:20)
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1198:14)

这可能只是因为我有时一次又一次地发送垃圾邮件.不会经常发生.

This is probably just because I am spamming requests again and again sometimes. Doesn't happen very often.

响应C:

OperationsError: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
    at messageCallback (/c/.../node_modules/ldapjs/lib/client/client.js:1419:45)
    at Parser.onMessage (/c/.../node_modules/ldapjs/lib/client/client.js:1089:14)
    at emitOne (events.js:116:13)
    at Parser.emit (events.js:211:7)
    at Parser.write (/c/.../node_modules/ldapjs/lib/messages/parser.js:111:8)
    at Socket.onData (/c/.../node_modules/ldapjs/lib/client/client.js:1076:22)
    at emitOne (events.js:116:13)
    at Socket.emit (events.js:211:7)
    at addChunk (_stream_readable.js:263:12)
    at readableAddChunk (_stream_readable.js:250:11)

这是最常见的回答.这是一个神秘的错误.我在网上阅读的所有内容都表明，提供 bindDN 和 bindCredentials 将允许activedirectory程序包进行其初始绑定，然后使其生效.

This is the most common response. This is a mystifying error. Everything I read online says that supplying bindDN and bindCredentials will allow the activedirectory package to do its initial bind and then that should make it work.

我也尝试过 passport-activedirectory 和 activedirectory npm软件包，但是结果非常相似(passport-activedirectory从不工作，而activedirectory有时也有工作行为).我也尝试过activedirectory2，但是没有运气.

I have also tried the passport-activedirectory and activedirectory npm packages, but with very similar results (passport-activedirectory never worked and activedirectory had the same sometimes-working behavior). I also tried activedirectory2, with no luck.

全部这些不同链接有助于达到目标，但目前我不知道我在做什么错.尤其是在有时有效的情况下.我的互联网连接非常稳定，所以我认为这不是问题.

All these different links have been helpful in getting this far, but I don't understand what I'm doing wrong at this point. Especially when it works sometimes. My internet connection is very stable, so I don't think that's the issue.

问题:

为什么我会看到这种间歇性行为，并且有解决方案吗?如果没有，我还有什么其他选择?

Why am I seeing this intermittent behavior and is there a solution? If not, what other options do I have?

推荐答案

问题是当我应该连接时，我正在连接到'LDAP://internal.mycompany.com'到'LDAP://LOGON_M0103.internal.mycompany.com'.显然，这就是实际域控制器的名称.

The issue was that I was connecting to 'LDAP://internal.mycompany.com', when I should have been connecting to 'LDAP://LOGON_M0103.internal.mycompany.com'. Apparently that's the name of the actual domain controller.

对于其他有此问题的人，我找到了答案，方法是使用AD Explorer并查看连接的根，该根在方括号中表示域控制器的名称.另外，在AD中有一个条目 OU = Domain Controllers ，并且其中包含 CN = LOGON_M0103 .

For anyone else that has this issue, I found the answer by using AD Explorer and looking at the root of the connection, where it said the domain controller's name in square brackets. Also, there's an entry OU=Domain Controllers, and that has CN=LOGON_M0103 within it inside the AD.

我仍然为为什么仅使用'LDAP://internal.mycompany.com'根本无法工作而感到困惑.

I'm still puzzled by why it was even working at all with just 'LDAP://internal.mycompany.com'.

这篇关于针对来自节点的Active Directory进行间歇性身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！