Active Directory authentication with ldap.js

3
votes

I've been attempting to authenticate to an Active Directory Windows 2008 server with ldap.js. The only goal is to authenticate to the server, and I am using the client side stuff (not creating new server, which is what all the documentation is about). I'm totally new to LDAP, and as such, authenticating with username "MYDOMAIN\myuser" does not work in ldap.js, but does in ldapsearch: ldapsearch -H ldap://192.168.1.212:389 -x -D 'MYDOMAIN\myuser' -w pa33w0rd -LLL -b "dc=mydomain" '(sAMAccountName=myuser)' which authenticates successfully but then spits out Referral (10).

trying that in ldap.js with client.bind("MYDOMAIN\myuser", 'pa33w0rd', function(err) { ... } ); fails with 49 InvalidCredentialsError 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, ...

Attempting to re-write MYDOMAIN\myuser as a Distingushed Name dn: cn=myuser, dc=mydomain also fails with auth errors also in ldap search. What is the proper way to convert DOMAIN\USER (domain backslash user format) to a DN?

1
node.jsauthenticationactive-directoryldap

1 Answers

3
votes

From http://www.rlmueller.net/NameTranslateFAQ.htm:

  1. Distinguished Names - format as specified in RFC 1779. For example cn=TestUser,ou=Sales,dc=MyDomain,dc=com.
  2. NT format - the name format used in Windows NT 4.0. For example MyDomain\TestUser, where MyDomain is the NetBIOS name of the domain and TestUser is the NT name of the object (the pre-Windows 2000 name). The value of the sAMAccountName attribute is the NT name of the object.

Thus, the NT format (domain backslash user) login name MYDOMAIN\myuser can map to cn=myuser,cn=Users,dc=mydomain,dc=com or cn=myuser,cn=Users,dc=mydomain,dc=local or a bunch of others. I suggest you look at the hosts file or DNS domain name of the AD server. You should also change the -b (base) to include the dc=com or dc=local, or whatever to fix the referral error.