ldap authentication login only works with typing in the hashed password

Question

I have a nodejs application with angular frontend. When I want to login with a user it only works when I type in the ssha hashed password. But with the plain text password I can't login.

the ldap client configuration ist:

function auth(user, password, successFn){
  var opts ={
    scope: 'sub',
    filter: '(&(objectClass=inetOrgPerson)(uid=' + user + '))',
  };

  var callback = function (err, res){
    handleResult(collect, err, res);
  };

  var collect = {
    list: [],
    entry: function(entry){ this.list.push(entry); },
    done: function(){
      var correct = this.list.length == 1;
      if ( correct ){
        var pw = this.list[0].userPassword;
        correct = (pw == password);
      }
      if ( correct ){
        var role = this.list[0].employeeType;
        successFn(role[0]);
      }
      else{
        successFn(correct);
      }

    }
  }

and

router.post('/login', function(req, res, next) {
  var user = req.body.username;
  var pw = req.body.password;

  ldap.auth(user, pw, function(role){  
    if ( role ){
      req.session.user = user;
      req.session.userRole = role;

Is there something wrong with the code in nodejs or is this a configuration mistake o the ldap server? And how can I fix this?

Answer 1

This looks like a major security concern. Your code is not using LDAP Authentication (ie an LDAP Bind Request). It retrieves the user entry and compare the password field with the user input. But most LDAP server will hash the user password to secure it. I would strongly recommend to change the auth method to perform a Bind to validate the password and then collect the Roles.