Is there a simple way to check prior to running a search operation whether or not an ldapts client is still connected and usable? Specifically, I'm using ldapts in conjunction with a connection pool (node generic-pool) and I'm trying to find an efficient way to validate bound clients to see if they are still usable (e.g., to make sure the connection hasn't timed out due to being idle) after the connection is checked out from the pool.

Thank you!

I am trying to use this project to log users in. After the system forms a bind, it needs to take the username and password provided by the user and validate it.

Can we change:
public async exop(oid: string, value?: string, controls?: Control|Control[])
to:
public async exop(oid: string, value?: string | Buffer, controls?: Control|Control[])?

In ExtendedRequest.ts Buffer as value is allowed, as per definition it should also be allowed in Client.ts for the calling method?

Is it possible to specify a network interface to use when creating a client? TIA.

Hey @jgeurts ,

first off thank you very much for the work.

I am experiencing an issue with the following query:

const searchResult: any = await client.search(settings.ldapGroupSearchDN, {
      filter: "(&(objectCategory=group)(displayName=My group (something)",
})

After replacing the brackets with \28 and \29 this call yields no result. However running: ldapsearch -H ldaps://.... -x -w 'verySecret' -D myUser -b 'ldapGroupSearchDN' "(&(objectCategory=group)(displayName=My group \28something\29))" does.

Any pointer why this is?

Also:

Is there a reason why https://github.com/ldapts/ldapts/blob/master/src/filters/Filter.ts#L36 is protected? Would be cool, if I'd be able to use it. Currently I need to fallback to https://github.com/tcort/ldap-escape before executing the call above (or manually use .replace()). Otherwise I see UnhandledPromiseRejectionWarning: Error: Illegal unescaped character: ( in value: My group (something at Function._unescapeHexValues (ldapts/dist/FilterParser.js:272:27)

Best regards,
stiller-leser

I want to make a filter operation, about 10 seconds passed, then it failed with the following error.

D:\code\node\ldap-simple-tool>node bin\ldap-simple-tool.js filter uid=xxx
try to filter {"expression":"uid=xxx"}!
filter operation error!
Error: Processing on the associated request Timeout limit specified by either the client request or the server administration limits has been exceeded and has been terminated because it took too long to complete. Code: 0x3
filter failed, please check the filter expression

D:\code\node\ldap-simple-tool>

The code I write is the following.

const filter = async ({ addr, baseDn, bindDn, bindPass, authFilter, tls, startTLS }, [_, expression]) => {
  const client = new Client({
    url: `${tls ? 'ldaps' : 'ldap'}://${addr}`,
    timeout: 0,
    connectTimeout: 0,
  });
  try {
    startTLS && client.startTLS();
    await client.bind(bindDn, bindPass);
    const filterResults = await _filter({ baseDn }, client, expression);
    return filterResults;
  } catch (error) {
    console.error(chalk.yellow.italic(`filter operation error!\n${error}`));
  } finally {
    await client.unbind();
  }
  return null;
};

It seems the timeout configs did not work as expected. I have also tried to remove timeout and connectTimeout or set a very large number.

However I can make filter operation in some client tool like LDAP Admin.

I search a group to retrieve the paths for each user in the group, then query each using that path as the distinguished name. Unfortunately, some of the DN entries contain embedded parentheses like this:
CN=Joe Cool (contractor),CN=Users,DC=myco,DC=mycompany,DC=com
These parentheses choke the filter parser in ldapts. I've tried various schemes for escaping them, but still get rejections from ldapts. These are legal characters for LDAP, how can I get these past the filter parser in ldapts?

I tried to take this for a spin with a publicly available LDAP server. Older code with node-ldapauth-fork is running fine. With this package, I am getting an error. You can check the code and run it at https://repl.it/@purplemana/Ldapts. It's a copy-paste of the search example from the package's docs with the server details changed. You can get the ldap details here - https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/.

Here's the code for reference:

const { Client } = require('ldapts');

const url = 'ldap://ldap.forumsys.com:389';
const bindDN = 'cn=read-only-admin,dc=example,dc=com';
const password = 'password';
const searchDN = 'ou=mathematicians,dc=example,dc=com';

async function search() {
  const client = new Client({
    url
  });

  try {
    await client.bind(bindDN, password);

    const {
      searchEntries,
      searchReferences,
    } = await client.search(searchDN, {
      scope: 'sub',
      filter: 'cn=riemann',
    });

    console.log(searchEntries)

    return searchEntries;
  } catch (ex) {
    throw ex;
  } finally {
    await client.unbind();
  }
}


search()
.then(console.log);

Expected Behavior

When performing more than two search operations simultanously, every single one should resolve correctly.

Actual Behavior

Only the first two search operations are resolved (Even though the ldap server answers correctly).

This does only occur with node.js >= v12.

It does not occur with only two concurrent search operations.

From our ldap server logs, we can see, that the server sends everything correctly.

The same problem occurs with ldapjs (v2.0.0) as well.

Error: SearchRequest: Operation timed out (Client.ts:826:25)

Steps to Reproduce

With this script you can reproduce the issue. We perform the same base search operation 3 times in parallel with Promise.all.

It doesn't matter if we use 3 different search operations but for simplicities sake we use a base search with our bindDN as base to be sure the entry exists.

If you run this script with i.e. node v10, everything works as expected, with node v12 or higher you will see the error message after the operation has timed out.

import { Client } from 'ldapts'
import assert from 'assert'

async function main() {
  const url = 'ldaps://...'
  const bindDN = 'cn=...'
  const bindCredentials = 'secret'

  const client = new Client({
    url,
    // since the operation times out, we use a low timeout
    timeout: 5000,
    connectTimeout: 5000,
  })

  try {
    await client.bind(bindDN, bindCredentials)

    const results = await Promise.all([
      findByDN(client, bindDN),
      findByDN(client, bindDN),
      findByDN(client, bindDN),
    ])

    assert.deepEqual(
      results.map((result) => result.dn),
      [bindDN, bindDN, bindDN],
    )

    console.log('ldapts is compatible with the selected Node version.')
  } catch (err) {
    console.log('ldapts is not compatible with the selected Node version.')
    console.error(err)
  } finally {
    await client.unbind()

    process.exit()
  }
}

async function findByDN(client, dn) {
  const { searchEntries } = await client.search(dn, {
    scope: 'base',
  })

  assert.equal(searchEntries.length, 1)

  console.log(`found ${searchEntries[0].dn}`)

  return searchEntries[0]
}

main()

Context (Environment)

• NetIQ eDirectory version: 9.2.2
• node.js version: v12 or higher
• ldapts version: v2.6.1

I am using the following options for my LDAP search:

And I am expecting a result like this:

I am not getting any of the operational attributes, only the user's data.

I'm encountering the 'Socket connection not established' error located at the top of the _send function in Client.js. This will occur when this.connected == true, but this.socket == undefined. We land here because (for example) the search function will only call _connect if this.connected == false, not if this.socket is undefined.

To reproduce:

1. Start server
2. Have client make a query. This sets this.connected = true and defines the socket
3. Have the server gracefully close the connection.
4. Have client make another query.

I believe root cause occurs in the socketClose function and the connectTimer timeout, where the socket is deleted, but this.connected is not set to false

I am not sure if I am doing this correctly, I was not able to find any example code to do this.

I would like to use the startTLS extended operation to establish a secure connection to my ldap server and then bind the uname/pwd to authenticate a user.

I get the following error
{ Error: Client network socket disconnected before secure TLS connection was established at TLSSocket.onConnectEnd (_tls_wrap.js:1095:19) at Object.onceWrapper (events.js:286:20) at TLSSocket.emit (events.js:203:15) at endReadableNT (_stream_readable.js:1145:12) at process._tickCallback (internal/process/next_tick.js:63:19) code: 'ECONNRESET', path: undefined,
Here is my code (the variables are declared in the file, not adding here)

const getLdap = async () => {
  const client = new Client({
    url: url,
    connectTimeout: 5000,
    tlsOptions: {
      rejectUnauthorized: tlsOpts.rejectUnauthorized,
      ca: [fs.readFileSync(tlsOpts.cert)],
    },
  });

  await client.startTLS(tlsOpts, (err) => {
    try {
      client.bind(searchDN, password);
      const { searchEntries } = client.search(searchDN, searchOpts);
      console.log(searchEntries[0].memberOf);
      return searchEntries[0].memberOf;
    } catch (err) {
      throw err.message;
    } finally {
      client.unbind();
    }
  });
};

It would be real nice if there were documentation for all functionality.

The current docs do not discuss features like add, change, etc. And I just have no clue how to use them.

When bind with a read-only user and try to use compare, I get this message:

InsufficientAccessError: The caller does not have sufficient rights to perform the requested operation. Code: 0x32
    at Function.parse (/home/william/dev/wmantly/ldap-node-test/node_modules/ldapts/StatusCodeParser.js:53:24)
    at Client.compare (/home/william/dev/wmantly/ldap-node-test/node_modules/ldapts/Client.js:202:59)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async /home/william/dev/wmantly/ldap-node-test/app.js:26:16 {
  code: 50,
  message: 'The caller does not have sufficient rights to perform the requested operation. Code: 0x32'
}

I am making a program in TS and while building this error pops up. Any idea why?

node_modules/ldapts/dist/filters/Filter.d.ts:2:38 - error TS7016: Could not find a declaration file for module 'asn1'. '.../node_modules/asn1/lib/index.js' implicitly has an 'any' type.
  Try `npm install @types/asn1` if it exists or add a new declaration (.d.ts) file containing `declare module 'asn1';`

2 import { BerReader, BerWriter } from 'asn1';

Same error also occurs for other .d.ts files like Attribute.d.ts, Change.d.ts, Control.d.ts

Btw there is no types for asn1

@jgeurts @adrianplavka

I just stumbled across this project and it looks promising. The ldapjs codebase has been dead for quite a while now and it's great to see some movement again.

I see that this only uses the client functionality from ldapjs, is there any plans to bring over the server functionality from it?

My team runs an internal ldap proxy and we use ldapjs. We currently have an internal fork of it to fix some server bugs that have/will never been fixed in ldapjs. It would be great to switch over to this library (we also use TypeScript) and to potentially push some of our fixes upstream as well.

As mentioned in my comment on #11, OpenLDAP doesn't return attribute data when requesting attributes with the ;binary attribute option in searches unless those attributes are explicitly encodable with BER. Unfortunately, attributes like jpegPhoto do not meet this requirement, and it seems to be impossible to coax OpenLDAP into just dealing with it. This means that the trick this library employs to return Buffers for binary attributes in searches fails, as specifying option attributes: ['jpegPhoto'] returns a corrupt UTF-16 string, but attributes: ['jpegPhoto;binary'] returns no attribute data whatsoever.

It would be nice to have, say, a .raw property on attribute values in search entries which would hold their value as the pre-toStringed Buffer holding the attribute data.

Related: #72 (sort of a duplicate?)

hello
please to help me. when i call modify function required Change but when i import it and console log to check is undefined
when i new Change , Attribute
-> TypeError: _ldapts.Change is not a constructor
-> TypeError: _ldapts.Attribute is not a constructor

--> my code <--
import { Client, Change, Attribute } from 'ldapts'
...
const mod = new Attribute({
type: 'info;string',
values: [ 'zzz']
})

--> and error return <--
UnhandledPromiseRejectionWarning: TypeError: _ldapts.Attribute is not a constructor

can you help me resolve this issue ,

Thank you very much

There is not an easy way to import the Error classes for checking in exception handling, having to do import { InvalidCredentialsError } from 'ldapts/dist/errors/resultCodeErrors/InvalidCredentialsError'.

Would it be reasonable to export these from the index.d.ts?

This would be a huge benefit for us, as only simple auth is supported at the moment we will have to require an ldaps connection. I just tested out using starttls with the ldapjs library and it seems that it would fix our issue and allow plain ldap connections once again. I would love to continue using ldapts in our project but for now I may have to just wrap the ldapjs stuff :(

Tried accessing a Samba-based PDC via LDAP including its objectSid attribute which comes binary-encoded. Just like with ldapjs I was realizing that binary content exposed this way gets corrupted due to assuming UTF-8 encoding when converting attribute values from Buffer to string, even though the resulting string is full of Unicode escape sequences, afterwards. In my case a 25-bytes buffer value becomes a 24 characters string of unicode escapes.

In ldapjs there is an opportunity to get the raw set of buffers instead of transcoded strings per search result entry.

I have a multi domain tree and different domains require different credentials so i need to intercept the referral and rebind using the appropriate credentials.

I have just migrated from ldapjs and appreciate changes and corrections made on the code. Nevertheless, a filter using previously with ldapjs not work. It's normaly should remove desactivate users on AD (see last part of filter below).

const searchOptions = {
            scope: 'sub',
            sizeLimit: 50,
            attributes: ["sAMAccountName", "name", "mail", "telephoneNumber", "sn", "givenName"],
            filter: '(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
        };

Without userAccountControl Filter, I've got all users but with I've an empty result.

is there a way to modify multiple attributes in a single change e.g. below
await client.modify(SEARCHCRITERIA'', new Change({ operation: 'replace', modification: new Attribute( { type: 'title', values: ['web tester'] }, { type: 'displayName', values: ['John W Doe'] } ), }));

or

await client.modify(SEARCHCRITERIA'', new Change({ operation: 'replace', modification: new Attribute( { type:[ 'title','displayName'] values: ['web tester','John W Doe'], } ), }));

It would be nice if all attributes requested that exist on the server were returned, instead of needing to check for keys to know if they are empty. Currently ldapts will remove attributes returned by the server that are falsy. (empty strings) Requesting a binary version still returns no keys if the value is falsy.

For example if you want a users phone number, but the telephoneNumber attribute was never filled in it will be empty and ldapts drops the attribute key.

client.search('dc=domain,dc=local', {
        scope: 'sub',
        filter: `([email protected])`,
        attributes: ['telephoneNumber']
      });

// Result [ { dn: 'CN=Test User,OU=Users,DC=domain,DC=local' } ]

For consistency it'd be nice to have:

client.search('dc=domain,dc=local', {
        scope: 'sub',
        filter: `([email protected])`,
        attributes: ['telephoneNumber']
      });

// Result [ { dn: 'CN=Test User,OU=Users,DC=domain,DC=local', telephoneNumber: ''} ]

It looks like this is happening on line 45 of SearchEntry.ts, however I didn't make any PR since I didn't know if this behavior was intentional.

Package Version: 2.7.0 (but also tested with 1.9.0 and the bug is still present)
Node: 14
AD protocol: ldaps

If for some reason we attempt to add a user with a null password, we get an unhandled promise rejection even if we catch the "add" error. I tried listening on the client.socket's events, but that did not help in any way. Although this can be prevented higher up in our code, it seems like ldapts should not fail in this way ...

Also, I tried to unbind the client in the try-finally, but that just resulted in a completely different error (Error: Connection closed before message response was received. Message type: AddRequest (0x68)) which I think might be pretty much related.

Here is the minimal snippet I used to reproduce this bug :

const { Client } = require('ldapts');

const client = new Client({
	url: 'ldaps://openldap:636',
	timeout: 5000,
	connectTimeout: 5000,
});

let entry = {
	cn: 'firstname  lastname',
	objectclass: ['organizationalPerson', 'person', 'inetOrgPerson', 'top'],
	pwdReset: 'TRUE',
	givenName : 'firstname',
	sn : 'lastname',
	mail : '[email protected]',
	uid : '[email protected]',
	userPassword : null, // This is the problem, leaving this undefined works as expected
};

let dn = `uid=${entry.uid},ou=Users,dc=test,dc=com`;

const doStuff = async() => {
	try {
		await client.bind(process.env.LDAP_DN, process.env.LDAP_PASSWORD);
		await client.add(dn, entry);
		console.log('I added my entry');
	} finally {
		//await client.unbind(); // This just fails differently...
	}
}

doStuff().then().catch(console.error);

Hi,
Superb library!

Is it possible to add a ignore parsing array option on client.modify and client.search to receive the raw buffer instead of the parsed response, ( in SearchEntry.js ) as it converts everything to a string.

{ scope: 'sub', filter: '(&(sAMAccountName=someAccount))', attributes: ['thumbnailPhoto', 'dn', 'name', 'something...'], noparsing: ['thumbnailPhoto'], }

essentially im trying to get the thumbnailPhoto which is usually a binary photo
and then save the photo to file, but as it is already converted to string, some characters gets mangled by the encoding and Im unable to get the correct output.

ldapjs lib has the same issue where object.entries are strings but since it pushes the full object back, the data was still accessable at object.attributes[0].buffers[0];

Buffer.from(object.attributes[0].buffers[0], 'hex').toString('binary');

not totally sure how to send a "modify" replace in binary form, clues?

Package Version: 2.6.1
Node: 10
AD protocol: ldaps

I am trying to establish a TLS connection between the AD and my node service however I am getting an error
unable to get local issuer certificate

My implementation of the code looks something like this, where I am getting the certs from the AWS SSM.

const createConnection = async () => {
  const connection = config && config.connection
  if (process.env.REJECT_UNAUTHORISED === 'true') {
    const rootCA = await getParam(process.env.CA_ROOT_CERT)
    const bufferedCACert = Buffer.from(rootCA, 'base64').toString('utf8')
    const subCA = await getParam(process.env.CA_SUB_CERT)
    const bufferedSubCACert = Buffer.from(subCA, 'base64').toString('utf8')
    connection.tlsOptions.ca = [bufferedCACert, bufferedSubCACert]
  }

  const client = new Client(connection)
  return client
}

The AD is using certificates issued by the global CA.

I tried using the startTls function but saw an error message indicating that the Tls connection was already established and when reviewing the code source, I can verify that it is the case.

Also a second point, why do I need to add ca in the config?
https://nodejs.org/docs/latest-v10.x/api/tls.html. The documentation indicates that I need to add only if it is a self signed?

Can anyone help me out please?

I added a similar request/question to ldapjs but thought I'd ask here as well, since this seems better maintained. I've read the issues and docs and am pretty sure this is not supported, but wanted to check anyway.

I need to use LDAP (as a client) over ldaps:// where the tlsOptions contain a key and cert for TLS client authentication. I.e. the LDAP server (the peer) will verify my LDAP client via TLS client authentication.

But I want this TLS client auth to be used with the "SASL EXTERNAL mechanism" (page 29 in https://docs.ldap.com/specs/rfc4422.txt).
As far as I can understand, this is something I can currently achieve with ldapsearch by supplying the -Y EXTERNAL.

So with all that in mind, since ldapts already supports TLS using client cert/key, is it possible for it to use -Y EXTERNAL so that they are also used as the SASL mechanism "EXTERNAL"?

The change class is inaccessible to make modifications when importing the module.

Suggest the following line in index.ts would work
export * from './Change';

This would allow it on import as either:
const { Client, Change } = require('ldapts');
or
const Change = require('ldapts').Change;

In your bind function, and most others, you send the LDAP command and then, if the response was not 0 (Success) then you call StatusCodeParser.parse(result.status);

But this throws away the original message that was part of the results and replaces it with your error messages.

Honestly I really don't want your error messages. I want the original message.

At a minimum can you include both your message and the original message??

Like this: StatusCodeParser.parse(result.status, result.errorMessage);

When using your library it seems to log quite noisily whatever is going on. Basically, this might be a good idea. But when it comes to logging bind operations it is covering used passwords in cleartext which seems to be unnecessary not to say probable source for collecting a wide range of user credentials.

I have found a TODO in comment, and think this is in need #32

As it goes with external services, if the service goes temporarily unavailable (by closing the socket), the client will not try to reconnect again.

With the current API, it is not possible, to define custom event handlers for implementing a reconnection policy.

My proposed suggestion would be (similar to ldapjs package), to have a new object setting in ldap.Client's constructor named reconnection, which would define, if the reconnection should be enabled & intervals for automatic reconnection.

The next solution (which could, by the way, exist with the previous solution) would be to extend client as an EventEmitter object. That way, users of this library could extend event behavior to their liking.

The parseDN() method is useful and would be a great addition.
http://ldapjs.org/dn.html#parsedndnstring

Unhandled Exception TypeError: Cannot read property 'removeAllListeners' of undefined
     at Client._onConnect (/usr/src/app/node_modules/ldapts/Client.js:456:21)
     at Socket.socket.once (/usr/src/app/node_modules/ldapts/Client.js:431:26)
     at Object.onceWrapper (events.js:273:13)
     at Socket.emit (events.js:187:15)
     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1149:10) undefined

Getting this error on trying to connect. Let me know if you guys need some specifics.

This module solve an error that happens with ldapjs. I'm excited to use ldapts, but I see a big problem because the errors do not handle with return codes but exceptions.
try-catch expression can affect to performance in app. Is there other way to handle errors and do not use try-catch?

The module works well! There is a question. If the LDAP server is available, then everything works, but if the LDAP server is not available (fell, does not respond to ping), then client.bind (...) waits a very long time. It would be nice to have the ability to set the maximum wait time for server availability

Using Active Directory this function fails in the method ldapClient.exop(....)

export async function authenticate(username, password) {

    // Declare ldap client connection once and enable reconnect
    // and listen for connect events (see below)
    const ldapClient = new Client({
        url: `ldap://${config.ldapHost}`,
        reconnect: {
            initialDelay: 100,
            maxDelay: 1000,
            failAfter: 10
        },
    });
    await ldapClient.exop('1.2.840.113556.1.4.1781'); // throws error 'toString' of null
    await ldapClient.bind(username ,password);
    await ldapClient.unbind();
}

I get this stack trace

TypeError: Cannot read property 'toString' of null
    at new ResultCodeError (/Users/slaursen/dev10/deploy/ep-auth-server/node_modules/ldapts/errors/resultCodeErrors/ResultCodeError.js:7:51)
    at new UnknownStatusCodeError (/Users/slaursen/dev10/deploy/ep-auth-server/node_modules/ldapts/errors/resultCodeErrors/UnknownStatusCodeError.js:6:9)
    at Function.parse (/Users/slaursen/dev10/deploy/ep-auth-server/node_modules/ldapts/StatusCodeParser.js:80:24)
    at Client.exop (/Users/slaursen/dev10/deploy/ep-auth-server/node_modules/ldapts/Client.js:218:58)
    at process._tickCallback (internal/process/next_tick.js:68:7)

Hi,

I am getting Missing paren error for filter bellow:

"(&(userPrincipalName=sostad*)(&(objectClass=user))(|(objectClass=person))(!(objectClass=computer)(objectClass=group)))"

It looks like my filter is correct and error is a bug!
could you please take a look at it and let me know what's wrong in my filter?

error:

Missing paren: (&(userPrincipalName=sostad*)(&(objectClass=user))(|(objectClass=person))(!(objectClass=computer)(objectClass=group))). Full string: (&(userPrincipalName=sostad*)(&(objectClass=user))(|(objectClass=person))(!(objectClass=computer)(objectClass=group)))

When we search for a ldap user, I found there is no options to retrieve computed attributes such as msDS-UserPasswordExpired, msDS-UserPasswordExpiryTimeComputed.

First of all, I want to thank you for this repository. We switched our project's LDAP implementation from ldapjs to yours and it seems to be working just fine. Being a TypeScript project, it's just a cherry on top.

However, quickly glancing over the code, I couldn't find escaping mechanism of certain characters to prevent LDAP injections.

Is there any way of incorporating this into the project? Right now, it seems that I am forced to use ldap-escape library.

It looks like when sizeLimit option is defined, the library is returning N-1 items only (one item is missing). Example: When I selected sizeLimit=2, one item (user) were been returned only.

Tested on: LDAPTS version: 1.4.2, LDAP server: Microsoft Active LDAP

Note: When sizeLimit is not defined, the real limit looks like 100 items. The default value is not documented in source code. But I am not sure if this limit is caused by lib, or it is default value somewhere in AD LDAP server - so adding this info as minor information only.

Hi @jgeurts,

it's me - again ;)

I am currently testing the following ldap query (&(objectClass=user)(displayName=SomeIdentifier)(memberOf:1.2.840.113556.1.4.1941:=CN=A Parent Group)) to search for a user in a group that contains many children groups. According to https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax 1.2.840.113556.1.4.1941 translates into a LDAP_MATCHING_RULE_IN_CHAIN.

The query gets correctly translated into a big AndFilter with three filters by ldap ts:

AndFilter {
  type: 160,
  filters: [
    EqualityFilter {
      type: 163,
      attribute: 'objectClass',
      value: 'user'
    },
    EqualityFilter {
      type: 163,
      attribute: 'displayName',
      value: 'SomeIdentifier'
    },
    ExtensibleFilter {
      type: 169,
      matchType: 'memberOf',
      rule: '1.2.840.113556.1.4.1941',
      dnAttributes: false,
      value: 'CN=A Parent Group'
    }
  ]
}

Checking the buffer in the SearchRequest it seems that it gets at least written into the stream correctly (even though one can't see much):

�b�
   objectClassuser�
                   displayNameSomeIdentifier�3�1.2.840.113556.1.4.1941memberOf�CN=A Parent Group0LLL

Using the following ldapsearch I get a result:

ldapsearch -H ldaps://myldapserver.com -x -w 'verySecret' -D 'myUser' -b 'DC=global,DC=corp,...' "(&(objectClass=user)(displayName=SomeIdentifier)(memberOf:1.2.840.113556.1.4.1941:=CN=A Parent Group))"

Would be awesome if you could look into this. As always: More than happy to help!

Regards,
stiller-leser

I'm need to perform an LDAP query using an extended control. (Specifically, Active Directory using 1.2.840.113556.1.4.417).

The documentation doesn't have any examples for creating a Control to pass to the search client. I've tried a few things but can't figure it out on my own.

I found this example for ldapjs but nothing similar works with ldapts.

Can you give any pointers for creating a Control object?

This is not a bug report per se, I just wanted to share something that got me stuck with my current setup and maybe open a discussion about a PR.

I was getting this error when trying to bind to the ldap server given in the bind example:

TypeError: Invalid data, chunk must be a string or buffer, not object
at Socket.write (net.js:704:11)
at Client._send (app/server.js:22724:21)
at Client._sendSearch (app/server.js:22549:35)
at Client.search (app/server.js:22531:20)

After some investigation I identified the asn1 lib used to create the buffer from the message as being the problem. Internet told me it is barely maintained anymore and offered asn1-ber as a dropin replacement. I made an alias in my webpack config to not modify anything and it started working straight away:

resolve: {
        alias: {
            'asn1': 'asn1-ber'
        },
}

I'm not sure if there is any downside to using the alternative lib but the author says there isn't. Seems to be working for me and my particular setup (Meteor.js). But if other people are having the same problem it might justify a change directly in ldapts rather than the webpack workaround.

Great lib in any case, works like a dream, thank you so much.

const { Client } = require('ldapts');

const url = 'ldap://ldap.forumsys.com:389';
const bindDN = '';
const password = '';

async function authenticate(bindDN, password) {
  const client = new Client({
    url,
  });

  let isAuthenticated;
    try {
      await client.bind(bindDN, password);
      isAuthenticated = true;
    } catch (ex) {
      isAuthenticated = false;
    } finally {
      await client.unbind();
    }
  return isAuthenticated;
}

I created a function with a given example. When bindDN and password are empty string, isAuthenticated returns true. I find that isAuthenticated in Try block gets assigned 'true'. In my understanding, await delays until client.bind function returns, right? If empty bindDN and password gets an error in binding, it should jumps into catch block. Any clue?

I'd like to detect, whether some bind request is failing due to technical issues (like connection timeouts) or because of provided user DN/password being wrong. Currently I have to import the error classes from ldapts/errors for that. Is it possible to include the errors with the base API available from ldapts itself?

I switched to this library from ldapjs to try to fix a bug when connection get closed by LDAP server.
By searching some issues, thought this problem is fixed, but that is not the case.

I get disconnected from LDAP server after 15 minutes of inactivity.
When I do new request after more than 15 minutes, I got error like this

It would be nice if you can handle this case and reconnect client again if possible.

My current workaround is in catch block, to check error.message does it contain this specific code 000004DC, and if that is the case, bind client again, and do request again

But I saw in your library that on every search you check is client connected. Don't know is there a way to listen to event when server close connection, or to check something else also and to call connect method again

I'm getting a TS4090 error now in my project since updating ldapts. My work around is to delete this typings file from ldapts. The node typings at my project level is apparently newer and typescript doesn't know what to do.