使用Passport和node.js的ldap身份验证绑定错误 [英] bind error with ldap authentication using Passport and node.js

问题描述

我无法绑定到ldap服务器.我有以下代码:

I have problem to bind to the ldap server. I have following codes:

在password.js文件中

in passport.js

module.exports = function() {
// Serialize sessions
passport.serializeUser(function(user, done) {
console.log('userid' + user.id)
    done(null, user.id);
});

// Deserialize sessions
passport.deserializeUser(function(id, done) {
    User.findOne({
        _id: id
    }, '-password', function(err, user) {
        done(err, user);
    });
});

passport.use(new LdapStrategy({
        usernameField:'username',
        passwordField:'password', 
        server: {
            url: 'ldap://xxx',
            //bindDn: 'AD\\'+'username',
            searchFilter: '(objectclass=*)',
            searchBase: 'ou=rzuser, dc=xxx, dc=xxx, dc=xxx',
        }
    },
    return done(null, user);
    }
));
};

我已经通过以下代码在服务器端对ldap策略进行了身份验证:

I have authenticated the ldap strategy in server side with following code:

passport.authenticate('ldapauth', function(err, user, info) {

即使使用正确的用户名和密码，我也会收到以下错误消息:

even with correct username and password, I get following error:

[OperationsError: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to
perform this operation a successful bind must be completed on the 
connection., data 0, v1772].

我认为问题在于将正确的用户名传递给服务器.我的ldap服务器接受带有域名的用户名作为用户名:domain \ username.在我的情况下，域为"AD".因此，传递的用户名应为"AD \用户名".任何机构都可以帮助我使用正确的配置将其传递给服务器吗?

I think the problem is passing the correct username to the server. My ldap server accepts username with domain name as username: domain\username. In my case domain is "AD". so the passed username should be "AD\username". Can any body help me in using correct configurations to pass this to the server?

推荐答案

passport-ldapauth (免责声明:我是作者)执行以下操作:

passport-ldapauth (disclaimer: I'm the author) does the following:

1. 使用 bindDn 和 bindCredentials (如果提供)绑定到LDAP服务器
2. 使用已定义的 searchFilter 和 searchBase
通过此管理员连接搜索用户
3. 如果返回一个结果(只有一个结果)，请尝试使用该结果和用户指定的密码进行绑定.

1. Bind to the LDAP server using bindDn and bindCredentials, if provided
2. Search for the user over this admin connection using the defined searchFilter and searchBase
3. If one, and only one, result is returned, attempt to bind using that result and the user given password.

您没有通过管理员凭据，即.您正在尝试进行匿名搜索，如果服务器不允许匿名访问(这可能是最常见的情况)，则可能是导致错误的原因.您应该定义 bindDn (使用完整DN是安全的)和 bindCredentials .通常使用一个服务帐户，即.不是任何人的个人帐户.

You are not passing the admin credentials, ie. you're trying to do anonymous search, and that would be a probable cause for the error if the server does not allow anonymous access (which is probably the most common scenario). You should define bindDn (use full DN to be safe) and bindCredentials. Usually a service account is used, ie. something that is not anyones personal account.

完成步骤3是因为LDAP服务器通常需要完整的DN进行绑定，但是即使用户知道其DN，登录用户名也不是很方便.这也适用于 bindDn ，尽管某些服务器确实允许使用其他形式，例如.电子邮件地址，直接.

Step 3 is done because LDAP servers often require full DN to bind, but even if users knew their DN it is not very convenient username for login. This also applies to the bindDn, although some servers do allow using some other form, eg. email address, directly.

除非只有一种用法，否则登录仍将失败，因为您的搜索过滤器将返回LDAP中的每个对象，并且将不执行步骤3.您将需要使用由用户在搜索过滤器中登录提供的用户名.例如，(samaccountname = {{username}})将搜索一个用户名，该用户名是尝试登录的用户提供的用户名.

Login will still fail unless there is only one use because your search filter will return every object from LDAP, and step 3 will not be performed. You will need to use the username provided by the user logging in in the search filter. For example, (samaccountname={{username}}) would search for a user whose username is the one provided by the user trying to log in.

这篇关于使用Passport和node.js的ldap身份验证绑定错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！