LDAP Basics to start with

Hello,

now i have time to experiment with ldap but i think i need a little help from somebody who has done that before.

My first Problem is to authenticate a user.

i used following nodes :
node-red-contrib-ldap-login (status connected and no answer)
node-red-node-ldap (status: bound/disconnected cycling and no answer)

the informations i have:
ldaps url and port
ldap search base string
DC url/ip
AD user/pw

i hope someone can give me a little help ...

dearly
Chorum

do i need the ldapjs to get any ldap node to work ?

You shouldn't do but it obviously depends on the LDAP service.

Also bear in mind that you should NEVER do logins over an untrusted network without encryption turned on. Even on trusted networks, you should always use TLS wire encryption (LDAPS) if you want to be able to trust the logins.

we are using ldaps and we are in a trusted network, so these points are checked i think...

but i cant get an answer from the ldaps/ad atm. we havent done that by node red yet.

So i need to find out how to do it.

Both those nodes should already declare ldapjs as dependencies and automatically install it if needed when you install the node.

As it is you are going to need to supply a bunch more information before we are likely to be able to help with any of this. Have you checked to see if there are any errors in the logs? node-red-node-ldap should print errors to the console for most errors iirc (it's been a VERY long time since I wrote and used that node)

ok, will make a package and reply in some minutes

  1. Thanks for answering !

  2. My Testflow Image:

  3. My Testflow :

[
    {
        "id": "a8cca73b.2e6068",
        "type": "debug",
        "z": "637f0695.31d718",
        "name": "",
        "active": true,
        "console": "false",
        "complete": "false",
        "x": 1430,
        "y": 1100,
        "wires": []
    },
    {
        "id": "23454771.fb60a8",
        "type": "inject",
        "z": "637f0695.31d718",
        "name": "",
        "props": [
            {
                "p": "payload"
            },
            {
                "p": "topic",
                "vt": "str"
            }
        ],
        "repeat": "",
        "crontab": "",
        "once": false,
        "onceDelay": "",
        "topic": "",
        "payload": "my.email@company.com",
        "payloadType": "str",
        "x": 970,
        "y": 1100,
        "wires": [
            [
                "25d47256.d4853e",
                "c6e98dce.ca5d28"
            ]
        ]
    },
    {
        "id": "25d47256.d4853e",
        "type": "ldap out",
        "z": "637f0695.31d718",
        "name": "",
        "topic": "",
        "base": "DC=myvalue DC=myvalue",
        "filter": "uid={{payload}}",
        "server": "ab7709a7.36bd88",
        "x": 1230,
        "y": 1100,
        "wires": [
            [
                "a8cca73b.2e6068"
            ]
        ]
    },
    {
        "id": "c6e98dce.ca5d28",
        "type": "debug",
        "z": "637f0695.31d718",
        "name": "",
        "active": true,
        "console": "false",
        "complete": "false",
        "x": 1250,
        "y": 1160,
        "wires": []
    },
    {
        "id": "ab7709a7.36bd88",
        "type": "ldap",
        "z": "",
        "server": "Ldaps://url",
        "port": "636",
        "tls": false,
        "tlsCert": ""
    }
]

i had to change the real data for security.

  1. What do i get :
    i only get one debug message in the sidebar, the lower debug node gives me the correct message.
    but i dont get anything more.
    With real informations the Node switches between "bound" and "disconnected"

do i need tls for ldaps, and if it is so - where do i get the tls cert file ?

ldap is something new for me, so i would be happy if you can help me into that.

Greetings
Chorum

So this is actually Microsoft Active Directory?

Do you even know if LDAPS access is configured?

Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Docs

i "think" it is Microsoft AD. is there another provider of AD?
i have a acc for it, but i shouldnt need it.

LDAPS is up and running. i know we have a application that uses ldaps auth.
but thats not node red.

is there a way to use ldaps without a certification ?
or do i have to put the cert. into the settings.js for node red?

No, but there are many other providers of LDAP. And it is important you "know" because how you access AD is quite often very different. It all depends on how it has been set up and what you're account has permissions to do.

Then you should be talking to your infrastructure team about how to access it and whether you have permissions.

Bear in mind that most user accounts will certainly not be permitted direct LDAP access to AD since AD contains a LOT of very sensitive information.

The "S" is short for secure - LDAPS like HTTPS uses TLS encryption which is certificate based.

i will ask the developer of that app on friday, but i have the informations to use LDPS.

i have the permissions and a user for AD.

the idea came from a colleague. thats why i asked.
so i need to integrate the cert into node red ?

I would start with a command line tool to see if you can use the credentials and other information you've been given to access AD over LDAP.

That way, you aren't clouding the issue with any possible issues from the contribuded node(s).

And check in with the technical owner of your AD that they are OK with you connecting from a Node.js application. AD is not a free-for-all. As I said, it is likely tightly controlled - and rightly so. Messing up AD (which might be possible simply with a badly constructed LDAP query), could slow or stop access to all Windows resources on that Domain. Needless to say, that would be highly career limiting.

I've not used LDAP with AD for many years though once-upon-a-time, I was an X.500 and LDAP consultant working with some of the big enterprise directory suppliers and on some of the largest global LDAP deployments. My current detail knowledge though is rather rusty and outdated I'm afraid. These days, as an enterprise architect, I only get to deal with the bigger pictures.

You haven't answer the question about what is in the Node-RED log.

This should show error when it disconnects

Also the server entry in the ldap config node should just contain the hostname not a URL (so it should not start with ldap:// or ldaps://)

You only need to supply a certificate when using TLS if the LDAP Server cert is signed by a private CA

I dont have access to the Node-Red log. Its administrated on an other Location.

First Error found, so i will try only the hostname for the server entry :slight_smile:

So if i dont check TLS in the node, i may use LDAPs without a cert?

Thanks for your patience!

I will check that and reply

If you tick the TLS box it will attempt to connect to the server via TLS.

If the server is using a TLS certificate signed by a public CA then it will just work, if it's signed by a private CA then you will need to provide a path to a copy of that CA certificate. But the important thing to note is that the file need to be on the machine that's running the Node-RED backend (not your machine) and you've just said you don't have access to that machine (e.g. to see the logs) so it is unlikely you will be able to use this option.

I will try and find time to up date the node to use the core TLS config node that would fix this, but it's unlikely to be in the next week or two.

Version 1.0.0 of the node-red-node-ldap has been published with better TLS configuration (uses TLS node) and a few other updates.

3 Likes

Hello again,

i tried the Softerra Ldap Browser 4.5 and was able to login and see everything.
(didnt have a cert, but ssl)
So its possible to use it.

Now i need to use it in Node Red.

if i use the node with the full credentials for the LDAPS USER i get: " failed to bind - Connection Error".

if i use the node without the pw of the LDAPS User, the node stays connected until the search and i get: "ldap search error after the search".

i Couldnt test the updated Node , i need to wait until the IT restarts the Node Red Server.

if i need to use the cert (TLS) it should be on the Node Red server ?

The new TLS support will let you upload a CA certificate if needed, or just choose to not verify the servers certificate.

The failed to bind error implies that either the password or the bind dn is wrong, but without access to the system or the logs it is impossible to say more.

i will replay when i cheked out the new version. thanks for your help!
till then i practice some ldap querys...

Ah, the joys of LDIF :shudder: :grinning: