ldapopenldapldapjs

Authentification with ldap without user's password


I am trying to create login authentication with ldap js. I set up all Credentials and everything is working fine, but the problem is I can bind a user just with his Uid (user id aka username), it didn't ask for a password and I don't know how to fix this it must ask for Uid and userPAssword to connect

I tried to connect to with the same credentials including userPassword but it didn't work for me

ldapConfig.js in this file i set up all ldap config

  'url': 'ldap://*************',
  'port': '***',
  'timeout': '',
  'connectTimeout': '',
  'secret': '**********',
  'reconnect': true,
  'filtre': '(&(ObjectClass=*******)',
  'search_dn': 'ou=******,dc=****,dc=****',
  'domain': 'cn=******,dc=****,dc=****'

login.js in this file i tried to connect to ldap server and it work realy fine and then i want to get user by uid

const server = ldapConfig.url
const ldapDomain = ldapConfig.domain
const password = ldapConfig.secret
const searchDomain = ldapConfig.search_dn

  const client = ldap.createClient({
    url: server
  })
  client.bind(ldapDomain, password, err => {
    assert.ifError(err)
  })
 const opts = {
    scope: 'sub',
    filter: ldapConfig.filtre + `(mail=${request.body.mail}))`
  }
 client.search(searchDomain, opts, (err, res) => {
     assert.ifError(err)

     res.on('searchEntry', entry => {
      console.log(entry.object)
       }  )

I hope it's clear . Thanks


Solution

  • Unauthenticated bind (a seemingly successful bind when you supply a userID and null password) may be enabled in your directory. If you are using OpenLDAP, as the quesstion tags indicate, check slapd.conf for allow bind_anon_cred.

    Unless there is a specific need for unauthenticated bind, I disable it on the directory servers. In the rare cases where unauthenticated bind is required, all applications authenticating against the directory need to validate user input before attempting to bind -- that is, verify that the input username and password values are not null.