New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Referrals #8

Closed
PvanHengel opened this Issue Feb 25, 2014 · 4 comments

Comments

Projects
None yet
2 participants
@PvanHengel

PvanHengel commented Feb 25, 2014

Hi,

I think there is an issue with LDAP Referral chase, it seems that when searching a server with a referral to another server the application crashes. When searching a specific server, the search returns only those results that are local, for example if you search for a group, it only shows members that are local even if members from other server exist in the group.

@gheeres

This comment has been minimized.

Owner

gheeres commented Feb 25, 2014

Unfortunately I don't have access to a partitioned Active Directory installation for testing. The heavy lifting for the application is done by the ldapjs library. From what I can tell, ldapjs does not support referral chasing? It will return the referrals but doesn't do the chase. I could be wrong? Hopefully I'm wrong...

Do you have an example of the records / chase you are receiving with the referrals?

@PvanHengel

This comment has been minimized.

PvanHengel commented Mar 4, 2014

Here is a simple senerio:

LDAP://ABC.COM/DC=ABC,DC=com
--> If we bind here we fail

LDAP://NYC.ABC.COM/DC=NYC,DC=ABC,DC=COM
--> We can bind here and we dont fail, but we only see NY users & Groups
OU=GROUPS
CN=GROUP_NYC,OU=Groups,DC=NYC,DC=OFI,DC=com
--> If this group contains members from both NYC and BOS, and we connect to NYC we only see the NY members

OU=USERS
  CN=USER_NYC,OU=USERS,DC=NYC,DC=OFI,DC=com

LDAP://BOS.ABC.COM/DC=BOS,DC=ABC,DC=COM
OU=GROUPS
CN=GROUP_BOS,OU=Groups,DC=NYC,DC=OFI,DC=com
OU=USERS
CN=USER_BOS,OU=USERS,DC=BOS,DC=OFI,DC=com

@gheeres

This comment has been minimized.

Owner

gheeres commented Apr 2, 2014

Since no one had a test environment available, I installed a temporary partitioned ActiveDirectory environment on a couple of VM machines in order to simulate this configuration. Setting up the test environment actually took longer than the code fix / update. sigh

Anyway, seems to be working, although my installation was very simple consisting of a single subdomain / partition and a couple of users. Before I tear down and throw away the VMs, please let me know if this works for you now.

Note: ActiveDirectory returns some "invalid" referrals which I've filtered out and ignored to limit the delay and number of erroneous queries.

ldap://ForestDnsZones.domain.com/dc=domain,dc=com
ldap://DomainDnsZones.domain.com/dc=domain,dc=com
ldap://dc.domain.com/CN=Configuration,dc=domain,dc=com

When setting up your ActiveDirectory instance, you'll need to enable referrals like below.

var ad = new ActiveDirectory({ url: 'ldap://dc.domain.com',
                               baseDN: 'dc=domain,dc=com',
                               username: 'username@domain.com',
                               password: 'password',
                               referrals: {
                                 enabled: true
                               }
                              });

You can also override the excluded referrals by specifying an array of regular expressions to not follow. If you want to follow all referrals, then provide an empty array:

                               referrals: {
                                 enabled: true,
                                 exclude: [ ]
                               }

@gheeres gheeres closed this Apr 2, 2014

@gheeres

This comment has been minimized.

Owner

gheeres commented Apr 2, 2014

The other way around this problem is to use the Global Catalog (GC) instead of direct LDAP queries. Essentially the GC just listens on a different port (3268) but any LDAP search requests will be for the entire "forest".

{ url: 'ldap://dc.domain.com:3268' }

Of course make sure the port is open and not blocked by a firewall.

@gheeres gheeres added the enhancement label Jul 10, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment