ldap身份验证登录仅适用于输入哈希密码
[英]ldap authentication login only works with typing in the hashed password
问题描述
I have a nodejs application with angular frontend. 
我有一个带角度前端的nodejs应用程序。 When I want to login with a user it only works when I type in the ssha hashed password. 当我想用用户名登录时,仅当我输入ssha哈希密码时才有效。 But with the plain text password I can't login. 但是使用纯文本密码,我无法登录。
the ldap client configuration ist: ldap客户端配置ist:
function auth(user, password, successFn){
var opts ={
scope: 'sub',
filter: '(&(objectClass=inetOrgPerson)(uid=' + user + '))',
};
var callback = function (err, res){
handleResult(collect, err, res);
};
var collect = {
list: [],
entry: function(entry){ this.list.push(entry); },
done: function(){
var correct = this.list.length == 1;
if ( correct ){
var pw = this.list[0].userPassword;
correct = (pw == password);
}
if ( correct ){
var role = this.list[0].employeeType;
successFn(role[0]);
}
else{
successFn(correct);
}
}
}
and 和
router.post('/login', function(req, res, next) {
var user = req.body.username;
var pw = req.body.password;
ldap.auth(user, pw, function(role){
if ( role ){
req.session.user = user;
req.session.userRole = role;
Is there something wrong with the code in nodejs or is this a configuration mistake o the ldap server? nodejs中的代码是否有问题,或者这是ldap服务器的配置错误? And how can I fix this? 我该如何解决呢?
1 个解决方案
解决方案1
0 2016-09-30 08:32:37
This looks like a major security concern. 这似乎是一个主要的安全问题。 Your code is not using LDAP Authentication (ie an LDAP Bind Request). 您的代码未使用LDAP身份验证(即LDAP绑定请求)。 It retrieves the user entry and compare the password field with the user input. 它检索用户输入并将密码字段与用户输入进行比较。 But most LDAP server will hash the user password to secure it. 但是大多数LDAP服务器都会对用户密码进行哈希处理以保护它。 I would strongly recommend to change the auth method to perform a Bind to validate the password and then collect the Roles. 我强烈建议更改auth方法以执行绑定以验证密码,然后收集角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.