korylprince / go-ad-auth Goto Github PK

Hey there,

I am trying to authenticate a particular user. But, the error message shows "Amount Of Entries Returned was not one." All other users in the same domain are able to log in,but not this user.
This user's name is 17characters long. Does this have any dependency on length of characters?
Please help me with this issue.

Thanks

Hello.

When I trying to authenticate via TLS on the server via TLS (port 636) - it throws an error:

panic: Connection error: LDAP Result Code 200 "Network Error": x509: cannot validate certificate for X.X.X.X because it doesn't contain any IP SANs.

My config:

config := &auth.Config{
	Server: "X.X.X.X",
	Port: 636,
	BaseDN: "ou=Users,dc=my,dc=example,dc=com",
	Security: auth.SecurityTLS,
}

The one way to avoid this error is change call of the function DialTLS on line 27 from

conn, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", c.Server, c.Port), &tls.Config{ServerName: c.Server})

to

conn, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", c.Server, c.Port), &tls.Config{ServerName: c.Server, InsecureSkipVerify: true})

This method is not so good, because in InsecureScipVerify mode we are susceptible to man-in-the-middle attacks.

Is there any way to fix it without using bad practices? Maybe I made mistake somewhere?

Hello,

When trying connection to LDAP server setup on linux, facing connection error.

Error: "Connection error: LDAP Result Code 2 "Protocol Error": unsupported extended operation"

Note that with same client, we are able to connect to LDAP on Windows server.

Configs/versions we are using are as below:

Client OS Details:

NAME=Buildroot
VERSION=2015.11-00069-g85a7c28e
ID=buildroot
VERSION_ID=2015.11
PRETTY_NAME="Buildroot 2015.11"
MVEBU_RELEASE="16.08.0"

Linux OS details on which LDAP is setup:

NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"

OpenLDAP Version:
Version: 2.4.45+dfsg-1ubuntu1.11

Using golang v3.1.4 version of go-ad-auth:
https://pkg.go.dev/github.com/korylprince/go-ad-auth/[email protected]

Using this with Port 389 and SecurityType SecurityInsecureStartTLS for LDAP connection.
Note that port is open, no issues with firewall

API function call being used is: https://pkg.go.dev/github.com/korylprince/go-ad-auth/[email protected]#AuthenticateExtended

Could you please advice on this issue? Is it something with respect to versions we are using?

Hello,

I created a new ldap user in Windows Active Directory Users and Computers. When this new user is created by default it is a member of 'Domain Users' group. But when I used adauth.AuthenticateExtended call it did not return this group.

Then I created a new group say 'DCS' and made this new user member of 'DCS', then ideally the user is member of 'Domain Users' and 'DCS'. But the adauth.AuthenticateExtended call returned only 'DCS'. Note that I had passed both groups in the call.

After more investigation, in LDAP server I noticed that attribute 'member' of 'DCS' group had reference to the new user, but the 'member' attribute of 'Domain User' did not have reference to the user.

In Windows Active Directory though it says user is member of both 'Domain User' and 'DCS', the AuthenticateExtended call returns only DCS, as attribute 'member' of 'Domain Users' does not mention this user.

So,
does this library check the attributes before returning the group? or
By default, as user is not referred in 'Domain Users', is it LDAP configuration issue?

Hello!
I could not understand which parameters i should sent.
User dn and his exist group dn?
("dn", "user dn", []string{"group dn"})
This is return empty groups.

Hi,

When entry.DN contains a backslash, a parenthesis, an asterisk or a null character, the following query fails because the filter is invalid.

You should escape entry.DN using the rules detailed here, paragraph "The String Representation of LDAP Filters": https://ldap.com/ldap-filters/

In AuthenticateExtended when searching the memberOf attribute for matching groups, I think you meant to break out of the inner loop when you detect a match rather than continue.

Continuing doesn't hurt, but it also doesn't do anything useful :-)

Hi

If i am logged in to application, and I change my existing password. Then after i relogin, it authenticates both the passwords(New one and the existing one). I think it holds all the Active Directory data.
Please help with this problem.

This is my code.

--->
logger.Log(MODULENAME, logger.DEBUG, "LDAP Authentication Ready To begin...!!")

Config1 := grepo.GetGlobalConfiguration()
//&auth.Config{} = Config.EnvConfig.UserAuthenticationConfigParams.

config := &auth.Config{
	Server:   Config1.EnvConfig.UserAuthenticationConfigParams.Server,//example-ad.example.com
	Port:     Config1.EnvConfig.UserAuthenticationConfigParams.Port,//389
	BaseDN:   Config1.EnvConfig.UserAuthenticationConfigParams.BaseDN, //"DC=example,DC=COM",
	Security: auth.SecurityNone,
	Debug:    Config1.EnvConfig.UserAuthenticationConfigParams.Debug, //true,
}

status, err := auth.Login(userName, password, "", config)
if err != nil {
	logger.Log(MODULENAME, logger.ERROR, "Failed to Perform Authentication")
	logger.Log(MODULENAME, logger.ERROR, "Error : %s \n", err.Error())
}
return status

func ExampleUpdatePassword() {
	config := &auth.Config{
		Server:   "ldap.example.com",
		Port:     389,
		BaseDN:   "OU=Users,DC=example,DC=com",
		Security: auth.SecurityNone,
	}

	username := "user"
	password := "pass"
	newPassword := "Super$ecret"

	if err := auth.UpdatePassword(config, username, password, newPassword); err != nil {
		//handle err
	}
}

Result is
LDAP Result Code 53 "Unwilling To Perform": 00002077: SvcErr: DSID-03190EBE, problem 5003 (WILL_NOT_PERFORM)

Hi,

I'm having some trouble getting the groups that a user is a member of from "AuthenticateExtended". No matter what I pass in attr and group, I always get back an error "no entries returned". Is this a bug?

BTW: I can successfully authenticate with the "Authenticate" function.

Thanks,
-G

Thank you for this great package, it save me alot time, i create package, that wrap you, so it now even simplier to auth users get info from AD and check user groups - https://github.com/vasiliyaltunin/goad

Hope it helps some ppls around

Hi

Thanks for this great package! I would like to use this to check users username, password and group membership.

I have got this working when I use AuthenticateExtended. This works fine when a privileged user logs in, it pulls the attributes and groups. But when a standard user attempts I get "no entries returned".

So I assume I will need to first do a bind and use another method to check the user. Is there a way to be able to do this within this package or do I need to use the ldap package?

Many thanks

Simon

func ExampleUpdatePassword() {
	config := &auth.Config{
		Server:   "ldap.example.com",
		Port:     389,
		BaseDN:   "OU=Users,DC=example,DC=com",
		Security: auth.SecurityNone,
	}

	username := "user"
	password := "pass"
	newPassword := "Super$ecret"

	if err := auth.UpdatePassword(config, username, password, newPassword); err != nil {
		//handle err
	}
}

Result is
LDAP Result Code 53 "Unwilling To Perform": 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM)