-
Notifications
You must be signed in to change notification settings - Fork 448
ldaps issue with any node js versions #474
Comments
'use strict'; var fs = require('fs'); server: { I was even asked to try the following which I did Still cannot authenticate |
This almost looked like my issue but it didnt help |
Did you verify AD is properly setup for LDAPS and verify what port it was setup with? (Default is 636) I only ask because many IT admins do not setup LDAPS by default. |
So this application is broken into two. One is a thick client and the other is a web client. For the Web Client its not so easy. With all the Nodejs and JavaScript stuff. What is confusing is that I am able to connect with ldap and not ldaps on the webclient. I have done telnet on port 636 and also connected sucessfully with LDAP Admin to the DCs on 636 using TLS/SSL. I believe the issue is in the ldaps/nodejs on the app. |
ERROR Wed Apr 11 2018 11:19:33 - TypeError: Cannot read property 'on' of undefined |
Is it a self-signed cert and if so is it in a local CA that the Node server is configured with? If not I believe you can by pass it using the Node TLS API for testing purposes. https://nodejs.org/api/tls.html#tls_tls_connect_options_callback You should be able to use tlsOptions to send it the settings needed to bypass the CA check or you can send it a pem file. Which is shown in the link above. Should be something like:
|
My certs are all from our internal CA. So both the server and the DC certs are from our company CA. I have imported my server's cert on the client and made sure SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 are all active in the browser. If I bypass the CA check, will the app still process LDAPS connection? I ask because we can do LDAP (389) currently but our organization doenst like passing credentials in cleartext. If I can bypass the CA and still process the transaction with LDAPS (port 636) then we will like to try that option. I get the following errror from the code above SyntaxError: Unexpected identifier Thanks for your reply |
Are you making the request from the client / browser or from a Node backend? Browser app (Like React) -> Nodejs Server -> AD Browser app (Like React) -> AD Bypassing the CA check will still allow secure connections, but will not validate the certificate to prevent man in the middle attacks. Think of it like clicking the continue anyway button on browsers when accessing a website that is using a self signed certificate. |
Browser app (Chrome) -> Nodejs Server -> AD That sounds like an option I will like to try. The intranet site is already using port 443 signed by our local CA. The app will never be used on the internet (outside our domain). The only issue is the LDAPS and our security team don't like 389 so if I can bypass the CA check it would help. I wonder if the check is trying to go online to verify..... / https://github.com/felixrieseberg/windows-build-tools Python Make scratch directory, for example c:\server Dealing with proxy issue 2.1) Change your NPM configuration to set proxies npm config edit proxy=http://:80/ https-proxy=http://:80/ 2.2) Allow node to use additional GE certificates Create file e.g. C:\certs\GEcerts.pem as text file combining GE_External_Certificate1.pem,GE_External_Certificate2.pem https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file 2.3) Install node-pre-gyp set NODE_EXTRA_CA_CERTS=C:\certs\GEcerts.pem https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file npm install node-pre-gyp –g 2.4) Either 1.4.1) directly install Python 2.7.x and VC++ Build tools 2015 OR 1.4.2) let npm do it for you. From Windows PowerShell (Administrator) session cd c:\server set-location env: new-item -path . -name NODE_EXTRA_CA_CERTS -value C:\certs\GEcerts.pem This is the Powershell equivalent of set NODE_EXTRA_CA_CERTS=C:\certs\GEcerts.pem https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file npm install --global --production windows-build-tools https://github.com/felixrieseberg/windows-build-tools 1.5) set PYTHON=...path to python.exe 1.6) From "server" folder npm install sqlite3 --build-from-source / |
Unfortunately NodeJS has a set list of CAs and does not use the servers certificate store. You will need to either load in the CA, which it looks like you were trying, or do the CA check bypass. There is some information and even a commit talking about using the servers certificate store, but I have never used it and unsure if it's actually functional. Next time I'm on-site at my office that has a Windows domain I'll try making a connection using a self signed certificate to see if it goes through smoothly. I don't see why it wouldn't, but I have never used a self signed certificate with this library. You have probably already double checked these, but do you have port 636 open on the firewall and in this code block are you updating the ldapConfig.port variable to 636 when you change ldap to ldaps? The url parse method in ldapjs looks for ldap or ldaps and if no port is passed it will default it to 389 or 636. I normally don't pass it a port unless I'm working with someone who is using a strange port for their LDAP server. |
Yes that was what I suspected was happening. I suspected I needed to open firewall to make the registration happen. Our servers are hardened so I need to get through all that later. Yes I have port 636 opened from the server to the AD. My TELNET works and also LDAP ADMIN works on port 636 using SSL/TLS. The issue might be java script and maybe node area within the app. and can see that npm is clearly showing: so ldapurl = ldap://ServerName:389 works just fine. For now, are you able to help me bypass the CA check and I will deal with the online registry later. |
I tried your suggestion above and npm doesn't like it. It crashes because I am not a JS programmer. I am not doing something right. Can I list tlsOptions twice? |
No just replace your current TLS options with this one:
If the code you provided above is right it should look something like this:
|
Ok so npm didnt complain during startup. I went to the login page and tried signing in and then got the following: ERROR Fri Apr 13 2018 10:48:34 - TypeError: Cannot read property 'on' of undefined |
D:>node -v |
Well at least the certificate error is gone now. 👍 What version of ldapjs is in your package.json file? |
Based on the error you have and looking at previouse issues it looks like you likely have an old version of ldapjs installed. See #289 If this is the case I would try updating the library, over the time I have used this library I haven't noticed any breaking changes. If it does break something alternatively you could downgrade to the older version of NodeJS if the rest of your app isn't using any of the newer features/API in NodeJS. |
I see "version": "0.7.1", |
I added ldapjs to my dependences because I dont see it there per #289 and it still didn't work. Is my ldapjs too old? I also have node version 8.11.1 |
Can you past what your package.json dependencies looks like here? |
Yes sure. I just added this yesterday per case #289 "ldapjs": "mcavage/node-ldapjs#acc1ca8f4314fd9d67561feabc8ce4c235076a5e" |
The above line from that case is old, the newest version of ldapjs is what you want and will resolve the issue in the case. The latest version is 1.0.2, I would recommend using the npm update to update your packages. It normally will do all the dirty work for you. https://docs.npmjs.com/cli/update However I believe you said you did not have any entry for ldapjs in your package.json before this, is that correct? If that is true it must be a dependency of some other library or manually imported. |
Yes. Here is what it looked like: "dependencies": { I ran npm update and it flashed something and went back to the prompt. Not sure if am suppose to see anything. |
Is this an app you or someone in your organization built? Do you know if all the dependencies were installed using npm or did they give you all the node_modules manually? |
No our vendor developed the app or maybe third party. I know I have been given ..\server\node_modules\ldapjs folder before to update just to try out things to fix the ldaps issue. I also see another package.json further up above the folders. Right now, I see npm is stuck after SyntaxError: Error parsing D:\JBoss\Eo\server\node_modules\ldapjs\package.json: Unexpected token } in JSON |
You should have a package.json further up in your app, likely in the server\ folder. Is that the package.json you pasted above? It should look something like this:
The package.json inside ldapjs folder belongs to the ldapjs library and you typically do not want to touch it. For reference here is the location of the ldapjs package.json that you wouldn't want to change: |
No I pasted the one inside of ldapjs folder. Here is the one from server\package.json "dependencies": { |
Perfect, okay so here is what I suggest you try doing.
I'm not sure why your contracted developers are working with such an old version, hopefully there were no breaking changes between ldapjs versions. Worst case if there is you can revert back to the old version. |
Would npm install need internet access or is it local to the server? |
It needs internet access, so if the server doesn't have internet you will need to do it on another computer and manually copy the folder. |
That is pretty old, here is the link to download it. https://nodejs.org/download/release/v0.10.36/ Download it and try running the app with that version, use the original set of node_modules you had made a back-up of. Those should be the right ones for this old version of Node if they were given to you by the developers. |
I aready installed v8.11.1 and v9.8.0. How do I get NODE_MODULE_VERSION 59? The upgrade to v9.8.0 is asking for server\node_modules\sqlite3\lib\binding\node-v59-win32-x64\node_sqlite3.node `` |
You want to downgrade, not upgrade NodeJS. They developed on a version from early 2015.
Alternatively if you want to upgrade NodeJS you can keep trying to get the package working with the new updates, but you will need to get the ldapjs package updated. This does pose a risk that something they developed could be incompatible with the new version of ldapjs and or the newer NodeJS version you are using. Since you didn't develop the app I'd suggest downgrading, because we don't know what is in their app code. |
Yes the application works with v0.10.36 and v8.11.1. |
Looking at the NodeJS API docs that TLS option is still supported in v0.10.36, so you should be able to still use that setting with the older version of NodeJS. This should also avoid the incompatibility issue of new NodeJS and old ldapjs. Which is what caused this error: You most likely need to do one of the following:
|
Ok making sure I have the above |
AWESOME MR TASTYPACKETS.......YOU ARE THE MAN. Thanks for not giving up on me.... |
Does that mean you got it working? |
Yes sir. It was a little painful but we did it. Like you said....I went ahead and used your recommendation. So NodeJS v8 / ldapjs v1.0.2. Plus lots of dependences... •Use NodeJS v8 + ldapjs v1.0.2 and add tlsOptions: { rejectUnauthorized: false} |
Awesome, glad we were able to get it sorted out! |
Can you mark this issue closed? |
Yes I can.
Sent from Yahoo Mail on Android
On Fri, May 11, 2018 at 12:34 PM, Ezekiel Keator<[email protected]> wrote:
Can you mark this issue closed?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Thanks again. |
Hi @tastypackets, I am getting the same kind of issue but I can't update ldapjs as suggested. is there a way to resolve the issue without updating the ldapjs? |
What version of Node and ldapjs are you using? Did you add the option to ignore certificate verification? tlsOptions: { rejectUnauthorized: false} |
Node : 6.13.0 Yes, I verified with changing tlsOptions and getting rid of the 2nd error, but still, I am seeing the 1st error. |
If for some reason you can not upgrade ldapjs, you'll likely need to downgrade your version of Node installed on the server. |
Without touching downgrade/Upgrade the node, can we fix the issue in code side? |
The second issue you are having is due to breaking changes between the Node and ldapjs versions. These are old and I'd encourage you to upgrade things for security, however if this was a 3rd party app and you are not comfortable updating the code I'd downgrade the Node version. To downgrade Node you simply install an older version on your server. I belive further up in this thread I posted a link to the old version of Node this person's developers used. If it's Windows simply uninstall Node and reinstall the correct executable for the version you need. If this is Linux I'd recommend using NVM to install the version you need. Do you still have contact with the original author? Perhaps they can tell you what version of Node they developed on. If not based on that ldapjs version I'd guess it's a pretty old version of Node, like the one discussed earlier in this thread. Sorry I'm on my cell phone in bed, if you haven't figured it out by tomorrow I'll write up some better directions when I'm at a full keyboard. |
Are you working on NVP or EOWeb application?
Sent from Yahoo Mail on Android
On Thu, Nov 8, 2018 at 2:20 AM, sridharksetti<[email protected]> wrote:
Thanks for the prompt response.
I haven't downgraded/upgraded the version..
Just tried by giving certificates in tlsOptions
one error was fixed
Next found that close socket is returning unset in client.js, so I modified client.js file to set closeSocket value with "socket" directly as shown below.
No idea what is happened inside, but the issue was resolved and getting authentication passed.
Can you suggest, is it a correct fix?.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Yes, nvp |
Sorry I never replied to you. I'm on my cell phone again, but I'll try my best to type this out. In your ActiveDirectoryLdapAuth function I see you use fs read sync. While this is correct every time this function calls it'll do a synchronous read to the file system which isn't normally a good idea in Node. It's probably better to import this CA on startup of your application. For the second part that should work,in newer version of Node. However I don't know your full code or the old ldapjs, so I can't gurentee 100% you won't have an issue. You also could just delete closeSocket and rename the event listener to socket.on, because you are just making a pointer to that. Anyway long story short, looks like it'll work okay just not really what I'd normally do or recommend. You should probably have this app looked at / upgraded. Never heard of NVP. |
I tried everything I could to avoid upgrading and ultimately I had to. I followed Ezekiel's steps and he got us fixed. We have both NVP and EOWeb in our environment.
GE Network Viewer - NVPGE Electric Office Web - EOWeb
Thanks,Eshovo
Sent from Yahoo Mail on Android
On Fri, Nov 9, 2018 at 3:59 PM, Ezekiel Keator<[email protected]> wrote:
Sorry I never replied to you.
I'm on my cell phone again, but I'll try my best to type this out.
In your ActiveDirectoryLdapAuth function I see you use fs read sync. While this is correct every time this function calls it'll do a synchronous read to the file system which isn't normally a good idea in Node. It's probably better to import this CA on startup of your application.
For the second part that should work,in newer version of Node. However I don't know your full code or the old ldapjs, so I can't gurentee 100% you won't have an issue. You also could just delete closeSocket and rename the event listener to socket.on, because you are just making a pointer to that.
Anyway long story short, looks like it'll work okay just not really what I'd normally do or recommend. You should probably have this app looked at / upgraded.
Never heard of NVP.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Wow that's interesting, does GE not update this software or is it just an older version? It seems strange for them to be using an outdated code base. |
Mr. Tastypackets,
They like to move to the next version of the application which may not have the fix. I think you have to report it as either a bug or enhancement request to get it in the next release of the application.
Change is not easy to do. So I like to fix the version I have because of all the custom changes we have included and getting approvals to implement in prod.
For this user,
Take a look at Tastypacket's steps from April 16th 2018 above. If you are trying to use ldaps, get a separate machine, install NodeJS v8 from https://nodejs.org/en/
Past your dependencies from server\node_modules\ldapjs\package.json here.
Your goal would be to get nodejs v8 and ldapjs v1.0.2 (run npm install or npm update from cmd). Take notes of all your directories.
Run node -vRun npm -v
|
Thanks for your inputs .. I will try your input and let you know the result. |
Please include a minimal reproducible example |
For some reason I am not able to authenticate securely with AD. I am able to do ldap but not ldaps.
I see two type of errors:
TypeError: Cannot read property 'on' of undefined
Uncaught Exception: unable to get local issuer certificate
I am currently trying Node v8
The text was updated successfully, but these errors were encountered: