CODEWITHSUNDEEP
node.jsauthenticationldapldap-clientssha
nolags
nolags

Reputation: 633

ldap authentication login only works with typing in the hashed password

I have a nodejs application with angular frontend. When I want to login with a user it only works when I type in the ssha hashed password. But with the plain text password I can't login.

the ldap client configuration ist:

function auth(user, password, successFn){
  var opts ={
    scope: 'sub',
    filter: '(&(objectClass=inetOrgPerson)(uid=' + user + '))',
  };

  var callback = function (err, res){
    handleResult(collect, err, res);
  };

  var collect = {
    list: [],
    entry: function(entry){ this.list.push(entry); },
    done: function(){
      var correct = this.list.length == 1;
      if ( correct ){
        var pw = this.list[0].userPassword;
        correct = (pw == password);
      }
      if ( correct ){
        var role = this.list[0].employeeType;
        successFn(role[0]);
      }
      else{
        successFn(correct);
      }

    }
  }

and 

router.post('/login', function(req, res, next) {
  var user = req.body.username;
  var pw = req.body.password;

  ldap.auth(user, pw, function(role){  
    if ( role ){
      req.session.user = user;
      req.session.userRole = role;

Is there something wrong with the code in nodejs or is this a configuration mistake o the ldap server? And how can I fix this?

Upvotes: 0

Views: 747

Answers (1)

Ludovic Poitou
Ludovic Poitou

Reputation: 4868

This looks like a major security concern. Your code is not using LDAP Authentication (i.e. an LDAP Bind Request). It retrieves the user entry and compare the password field with the user input. But most LDAP server will hash the user password to secure it. I would strongly recommend to change the auth method to perform a Bind to validate the password and then collect the Roles.

Upvotes: 0

Related Questions