问题
I have problem to bind to the ldap server. I have following codes:
in passport.js
module.exports = function() {
// Serialize sessions
passport.serializeUser(function(user, done) {
console.log('userid' + user.id)
done(null, user.id);
});
// Deserialize sessions
passport.deserializeUser(function(id, done) {
User.findOne({
_id: id
}, '-password', function(err, user) {
done(err, user);
});
});
passport.use(new LdapStrategy({
usernameField:'username',
passwordField:'password',
server: {
url: 'ldap://xxx',
//bindDn: 'AD\\'+'username',
searchFilter: '(objectclass=*)',
searchBase: 'ou=rzuser, dc=xxx, dc=xxx, dc=xxx',
}
},
return done(null, user);
}
));
};
I have authenticated the ldap strategy in server side with following code:
passport.authenticate('ldapauth', function(err, user, info) {
even with correct username and password, I get following error:
[OperationsError: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to
perform this operation a successful bind must be completed on the
connection., data 0, v1772].
I think the problem is passing the correct username to the server. My ldap server accepts username with domain name as username: domain\username. In my case domain is "AD". so the passed username should be "AD\username". Can any body help me in using correct configurations to pass this to the server?
回答1:
passport-ldapauth
(disclaimer: I'm the author) does the following:
- Bind to the LDAP server using
bindDn
andbindCredentials
, if provided - Search for the user over this admin connection using the defined
searchFilter
andsearchBase
- If one, and only one, result is returned, attempt to bind using that result and the user given password.
You are not passing the admin credentials, ie. you're trying to do anonymous search, and that would be a probable cause for the error if the server does not allow anonymous access (which is probably the most common scenario). You should define bindDn
(use full DN to be safe) and bindCredentials
. Usually a service account is used, ie. something that is not anyones personal account.
Step 3 is done because LDAP servers often require full DN to bind, but even if users knew their DN it is not very convenient username for login. This also applies to the bindDn
, although some servers do allow using some other form, eg. email address, directly.
Login will still fail unless there is only one use because your search filter will return every object from LDAP, and step 3 will not be performed. You will need to use the username provided by the user logging in in the search filter. For example, (samaccountname={{username}})
would search for a user whose username is the one provided by the user trying to log in.
来源:https://stackoverflow.com/questions/32293689/bind-error-with-ldap-authentication-using-passport-and-node-js