Add unexpected exception log when bind user can authenticate, but doesn't exist in LDAP

[MiniDigger]

Preflight Checklist

• I have completed all Troubleshooting Steps.
• I'm on the latest version of Directus.
• There's no other issue that already describes my problem.

Describe the Bug

If the ldap user you use to search in ldap is in a different subtree than the users you want to allow to login into directus, the ldap health check fails to find a user and thus login never works. (We separate between technical users and organisational/"real" users)

I think the health check should not fail if the bind user has not been found in the user dn.

if I add

                res.on('end', (result) => {
                    if (result.status === 0) {
                        console.log("Healthcheck success, but user not found", result);
                        resolve();
                    } else {
                        console.log('status: ' + result.status, result);
                       // TODO error here
                    }
                });

my config works as expected (if you ignore the fact that my user has two cn attributes and only the second one is the one used for my dn.....).

if thats something that that you would want to have upstream, I can polish it up and PR it.

To Reproduce

have a ldap bind user in a different group than ldap directus users

Errors Shown

No response

What version of Directus are you using?

9.0.0

What version of Node.js are you using?

14

What database are you using?

pg 13

What browser are you using?

chrome

What operating system are you using?

windows 10

How are you deploying Directus?

locally

[aidenfoxx]

@MiniDigger Not sure I quite understand? The bind user needs to be bound to fetch user info on login/refresh, so we know their DN to be a kinda ground truth of a value that should exist. So on healthcheck, we do a search to find that ground truth, and handle the appropriate error if connection has been lost.

If the bind user dn doesn't exist, then there is a problem in your configuration?

[MiniDigger]

talked to aidenfoxx on discord.
current supection is that because my bind user is in some kind of ibm sysplex, thats why its can't find itself.
ill talk with people at work to find if thats expected.

[MiniDigger]

ok, my bind user is indeed not in my ldap (that would have been too easy). idk how exactly it works, but its possible to transfer the bind user into ldap to solve that issue (it seems like the sysplex stuff access the underlying storage (ibm racf, ancient mainframe tech) directly)

so this issue is not really an issue then I guess. would still be cool to have some kind of logging if end is called but searchEntry isnt, because while this totally should not happen, it clearly can happen is your setup is weird enough :D

[aidenfoxx]

We could just an a reject on "end" if with an UnexpectedError. That way if "searchEntry" triggers it'll resolve, but if the search passes with no results, it'll reject.

But this feels like a real edge case so I'm not too worried right now.

[MiniDigger]

yeah, error is fine, just should point to the health check so you can find out what went wrong yourself without digging too long.

[aidenfoxx]

@MiniDigger @rijkvanzanten I added #9527 to handle this, but I couldn't reproduce the issue on my side. For me when querying a record that doesn't exist I get a NO_OBJECT exception so I think this is very specific to your weird IBM setup.

[MiniDigger]

It's a weird pseudo object I guess. Many thanks, hopefully this will save somebody else some headaches

[rijkvanzanten]

Fixed in #9527