cannot get ldap working

[justinhelmer]

Actual behavior

Logging in through web interface fails with users that exist in ldap

Expected behavior

Login should succeed

Steps to reproduce the behavior

This works:

ldapsearch -x -h 192.168.1.2 -b "dc=ldap,dc=justin,dc=network" -D "uid=root,cn=users,dc=ldap,dc=justin,dc=network" -W "(uid=foo)"

(returns user foo after entering root password)

However, entering the same config into config.yml does not:

  ldap:
    enabled: true
    url: ldap://192.168.1.2:389
    bindDn: uid=root,cn=users,dc=ldap,dc=justin,dc=network
    bindCredentials: <ACTUAL_PASSWORD_INSERTED>
    searchBase: dc=ldap,dc=justin,dc=network
    searchFilter: (uid={{username}})
    tlsEnabled: false

I have also successfully connected with multiple other LDAP clients without issue.

Any help would be greatly appreciated.

[NGPixel]

Use the following debug file (/server/controllers/auth.js) to display any ldap error in the logs:
https://gist.github.com/NGPixel/ae1a6057931f361b6633c74d01d31837

Then look in /logs or console for any errors after a login attempt.

[justinhelmer]

I determined the issue. The test user I was logging in with did not have an email address. As soon as I added an email address for the user, sign in worked perfectly.

This requirement is not straightforward, because signing in with the LDAP user's email does not work as a login parameter with the searchFilter documented in your guides. However logging in with uid={{username}} works perfectly, but only if an email address is provided.

Perhaps an opportunity to update documentation, but feel free to close this issue.

[justinhelmer]

requarks/docs-legacy#10

[NGPixel]

Thanks, merged your PR.

[DmitriyP2018]

Hello! I have a problem with loging on with any domain account from using a ldap. When I insert domain account login and password - i recieve that username/password is incorrect. Ok. Then I use the debug file (/server/controllers/auth.js) to display any ldap error in the logs from NGPixel (from comment above) and now I recieve error after loging on browser:

Failed to serialize user into session
Oops, something went wrong

and also recieve errors on wiki-error-0.log file:

2018-03-15T12:44:12.276Z - ^[[31merror^[[39m: [SERVER] Error: Invalid username/password
at /home/wiki/wiki/server/controllers/auth.js:57:53
at allFailed (/home/wiki/wiki/node_modules/passport/lib/middleware/authenticate.js:107:18)
at attempt (/home/wiki/wiki/node_modules/passport/lib/middleware/authenticate.js:180:28)
at Strategy.strategy.fail (/home/wiki/wiki/node_modules/passport/lib/middleware/authenticate.js:297:9)
at Strategy. (/home/wiki/wiki/node_modules/passport-ldapauth/lib/passport-ldapauth/strategy.js:290:21)
at /home/wiki/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:352:14
at /home/wiki/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:279:14
at /home/wiki/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:207:14
at /home/wiki/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:181:16
at sendResult (/home/wiki/wiki/node_modules/ldapjs/lib/client/client.js:1393:14)
at messageCallback (/home/wiki/wiki/node_modules/ldapjs/lib/client/client.js:1419:18)
at Parser.onMessage (/home/wiki/wiki/node_modules/ldapjs/lib/client/client.js:1089:14)
at emitOne (events.js:96:13)
at Parser.emit (events.js:188:7)
at Parser.write (/home/wiki/wiki/node_modules/ldapjs/lib/messages/parser.js:111:8)
at Socket.onData (/home/wiki/wiki/node_modules/ldapjs/lib/client/client.js:1076:22)
at emitOne (events.js:96:13)
at Socket.emit (events.js:188:7)
at readableAddChunk (_stream_readable.js:176:18)
at Socket.Readable.push (_stream_readable.js:134:10)
at TCP.onread (net.js:559:20)

What I'm doing wrong? That's clean Instalation of wiki.js and I've enabled ldap on config.yml with this settings:

ldap:
enabled: true
url: ldap://192.168.1.1:389
bindDn: cn=admin,cn=users,dc=domain,dc=lan
bindCredentials: Password
searchBase: cn=users,dc=domain,dc=lan
searchFilter: (samaccountname={{username}})
tlsEnabled: false

Sure, have also successfully connected with multiple other LDAP service and clients without issue

Will be thanksfull for any help!

[Victor-Morel]

Hello,
I have a similar issue when trying to bind the LDAP (works from the command line, but it seems that my config is wrong).
Eventually I'd like to make it work without having to connect with an email address, is is possible?
BTW, what do you mean by using the auth.js debug file?
Thanks!

[NGPixel]

@Victor-Morel What you are describing is SSO, which is not supported. This will be possible in 2.0.

If you have issues connecting via LDAP. Make a backup of your server/controllers/auth.js and replace it with the file mentioned above. Then start Wiki.js in interactive mode: node server and watch for errors in the console while attempting to login.

[Victor-Morel]

Thanks for the quick anwer! I'm not really trying to implement an SSO, I just want to use a different uid as username (not the email), is that possible?
Using your explanations, I have an invalid username/password. But it's not that surprising if it tries to connect with an (inexistent) email address.
2018-09-08T17:08:49.830Z - error: [SERVER] Error: Invalid username/password at /var/www/wiki/server/controllers/auth.js:57:53 at allFailed (/var/www/wiki/node_modules/passport/lib/middleware/authenticate.js:107:18) at attempt (/var/www/wiki/node_modules/passport/lib/middleware/authenticate.js:180:28) at Strategy.strategy.fail (/var/www/wiki/node_modules/passport/lib/middleware/authenticate.js:297:9) at Strategy.<anonymous> (/var/www/wiki/node_modules/passport-ldapauth/lib/passport-ldapauth/strategy.js:290:21) at /var/www/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:352:14 at /var/www/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:279:14 at /var/www/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:207:14 at /var/www/wiki/node_modules/ldapauth-fork/lib/ldapauth.js:181:16 at sendResult (/var/www/wiki/node_modules/ldapjs/lib/client/client.js:1393:14) at messageCallback (/var/www/wiki/node_modules/ldapjs/lib/client/client.js:1419:18) at Parser.onMessage (/var/www/wiki/node_modules/ldapjs/lib/client/client.js:1089:14) at emitOne (events.js:116:13) at Parser.emit (events.js:211:7) at Parser.write (/var/www/wiki/node_modules/ldapjs/lib/messages/parser.js:111:8) at Socket.onData (/var/www/wiki/node_modules/ldapjs/lib/client/client.js:1076:22) at emitOne (events.js:116:13) at Socket.emit (events.js:211:7) at addChunk (_stream_readable.js:263:12) at readableAddChunk (_stream_readable.js:250:11) at Socket.Readable.push (_stream_readable.js:208:10) at TCP.onread (net.js:597:20)

[NGPixel]

@Victor-Morel You can use any field you want, it doesn't have to be an email. It's what you set in the searchFilter option that matters. By default, it's the ldap username, not the email.

[Victor-Morel]

Ok, it looks similar to what I have previously been with. But is it possible for the logs to be more verbose? I have difficulties identifying the problem (and my LDAP config working, I'm using it with other services).

[mbitsnbites]

Having similar issues. It would be very useful with a more verbose log when investigating things like authentication issues. Perhaps an environment variable that controls log verbosity? (WIKI_LOG_AUTH=0/1/2?)

[minsis]

I struggled with this for quite a bit and I just wanted to share what I found. I'm not AD expert by any means so take whatever I say with a grain of salt.

What I found was the base search dn does NOT do a recursive search into other OU's. So if your bind dn is ou=users,dc=mydomain,dc=local, but you have multiple OU's inside the users ou (e.g ou=office1,ou=users,dc=mydomain,dc=local) then users inside office1 will not be authenticated against.

I tried playing with the search filter to include any OU's inside but I haven't gotten it to work properly. Maybe someone who is good at writing search filters can work it. This is what I came up with, but I'm pretty sure its still just searching for users inside the same OU: (&(ou:=*)(mail={{username}}))

I ended up switching domains in which all users were inside a single OU so it wasn't an issue for me anymore. Hopefully this helps some of you.