Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comma in user dn cause authentication failure. #89

Open
ajay-fcb opened this issue Oct 19, 2020 · 3 comments
Open

Comma in user dn cause authentication failure. #89

ajay-fcb opened this issue Oct 19, 2020 · 3 comments

Comments

@ajay-fcb
Copy link

  • If there's a comma in the user DN, the ldap authentication call fails

  • user DN is of the form ' cn=ray\,rex,dc=example,dc=com'
    image

  • group attribute is the form
    member : cn=ray\,rex,dc=example,dc=com
    image

  • The program used to test is :

var LdapAuth = require("ldapauth-fork")
const fs = require('fs');

var ldap = new LdapAuth({
  url: 'ldap://localhost:10389',
  searchBase: 'dc=example,dc=com',
  searchFilter: '(uid={{username}})',
  groupSearchBase: 'dc=example,dc=com',
  groupSearchFilter:'(&(objectclass=*)(member={{dn}}))',
  groupSearchScope: 'sub',
  groupSearchAttributes: 'cn',
  reconnect: false
});

ldap.authenticate('ray', 'password', function(err, user) {
    if (err) {
      console.log("Authentication error: " + err);
      throw err;
      return process.exit(2);
    }
    else
    { 
      console.log("Successful Authentication");
	  roles = user._groups.map(element => {
          return "["+element['dn']+"]"
        })
      console.log('Successfully authenticated ldap groups dn: ' + roles)		 
      return process.exit(0);
    }
  });
  • Error reported

PS C:\AJAY_WORK\APAR\ACELDAP\ldappgm> node .\ldaptest2.js
Authentication error: LoopDetectError: LOOP_DETECT: failed for MessageType : SEARCH_REQUEST
Message ID : 2
SearchRequest
baseDn : 'dc=example, dc=com'
filter : '(&(objectClass=*)(member=cn=ray,rex,dc=example,dc=com))'
scope : whole subtree
typesOnly : false
Size Limit : no limit
Time Limit : 10
Deref Aliases : never Deref Aliases
attributes : 'cn'
org.apache.directory.api.ldap.model.message.SearchRequestImpl@35551da: java.lang.IllegalArgumentException: ERR_13247_INVALID_VALUE_CANT_NORMALIZE Invalid upValue, it cant be normalized

C:\AJAY_WORK\APAR\ACELDAP\ldappgm\ldaptest2.js:18
throw err;
^
LDAPError [LoopDetectError]: LOOP_DETECT: failed for MessageType : SEARCH_REQUEST
Message ID : 2
SearchRequest
baseDn : 'dc=example, dc=com'
filter : '(&(objectClass=)(member=cn=ray,rex,dc=example,dc=com))'
scope : whole subtree
typesOnly : false
Size Limit : no limit
Time Limit : 10
Deref Aliases : never Deref Aliases
attributes : 'cn'
org.apache.directory.api.ldap.model.message.SearchRequestImpl@35551da: java.lang.IllegalArgumentException: ERR_13247_INVALID_VALUE_CANT_NORMALIZE Invalid upValue, it cant be normalized
at messageCallback (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\client\client.js:1419:45)
at Parser.onMessage (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\client\client.js:1089:14)
at Parser.emit (events.js:310:20)
at Parser.write (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\messages\parser.js:111:8)
at Socket.onData (C:\AJAY_WORK\APAR\ACELDAP\ldappgm\node_modules\ldapauth-fork\node_modules\ldapjs\lib\client\client.js:1076:22)
at Socket.emit (events.js:310:20)
at addChunk (_stream_readable.js:286:12)
at readableAddChunk (_stream_readable.js:268:9)
at Socket.Readable.push (_stream_readable.js:209:10)
at TCP.onStreamRead (internal/stream_base_commons.js:186:23) {
lde_message: 'LOOP_DETECT: failed for MessageType : SEARCH_REQUEST\n' +
'Message ID : 2\n' +
' SearchRequest\n' +
" baseDn : 'dc=example, dc=com'\n" +
" filter : '(&(objectClass=)(member=cn=ray,rex,dc=example,dc=com))'\n" +
' scope : whole subtree\n' +
' typesOnly : false\n' +
' Size Limit : no limit\n' +
' Time Limit : 10\n' +
' Deref Aliases : never Deref Aliases\n' +
" attributes : 'cn'\n" +
'org.apache.directory.api.ldap.model.message.SearchRequestImpl@35551da: java.lang.IllegalArgumentException: ERR_13247_INVALID_VALUE_CANT_NORMALIZE Invalid
upValue, it cant be normalized',
lde_dn: null
}
@Grahahax
Copy link

I've worked around this issue myself by providing my own groupSearchFilter function in options, but we need to upgrade to ldapjs v2 to resolve this.

@vesse
Copy link
Owner

vesse commented Nov 14, 2020

Oh v2 has been released, it was so long in next that I forgot the whole thing. I'll try to remember to bump the deps tomorrow

@pcworld
Copy link

pcworld commented Nov 25, 2020

The current escaping is insufficient. In certain scenarios, this may even be a security issue.
See https://ldapwiki.com/wiki/DN%20Escape%20Values and https://tools.ietf.org/search/rfc4515 for some characters that need escaping.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vesse @pcworld @Grahahax @ajay-fcb