ahaenggli/AzureAD-LDAP-wrapper

gitlab-ce integration not working due to ldapjs limitation

andreimirt opened this issue · 3 comments

andreimirt commented

ldapjs with a version lower than 3 does not support filtering using userAccountControl:1.2.840.113556.1.4.803 (as far as I understand things), but it does with the release of version 3, according to ldapjs/node-ldapjs#439

Am I even interpreteting things correctly? If so, are there any plans of moving to ldapjs v3?
If I'm misunderstanding things, is there a workaround to integrate with gitlab-ce?

Somewhat unrelated, I believe that with ldapjs v3 MFA would also be possible.

My log looks like this:

INFO: 2023-04-07T20:00:04.236Z:  server.js server.search Search for => DB: uid=existing.user,cn=users,dc=mydomain,dc=tld; Scope: base; Filter: (userAccountControl:1.2.840.113556.1.4.803:=2); Attributes: dn;
INFO: 2023-04-07T20:00:04.237Z:  server.js server.search searchableEntries NOT modified 17
ERROR: 2023-04-07T20:00:04.238Z:  server.js server.search Error: ext match implementation missing
    at ExtensibleFilter.matches (/app/node_modules/ldap-filter/lib/ext_filter.js:81:9)
    at Server.<anonymous> (/app/server.js:312:32)
    at messageIIFE (/app/node_modules/ldapjs/lib/server.js:407:63)
    at Server.authorize (/app/server.js:116:12)
    at messageIIFE (/app/node_modules/ldapjs/lib/server.js:407:63)
    at Parser.<anonymous> (/app/node_modules/ldapjs/lib/server.js:430:8)
    at Parser.emit (node:events:513:28)
    at Parser.write (/app/node_modules/ldapjs/lib/messages/parser.js:107:8)
    at Socket.<anonymous> (/app/node_modules/ldapjs/lib/server.js:449:19)
    at Socket.emit (node:events:513:28)
ahaenggli commented

ldapjs
Your interpretation is unfortunately wrong. With v3, all tickets were simply closed so that the developers have an overview again. None of this (or very little) was actually implemented.

Move to ldapjs v3
Yes, the change is planned. But currently there are still some problems with the latest version of ldapjs. As soon as all problems are solved, a new version of the wrapper will be released, which will then also be based on ldapjs v3.

MFA
LDAP as a protocol is not designed to support MFA. For a proper MFA the login window of Azure must be shown. Not the username/password fields of the respective application. Workarounds to MFA have recently been described here in the guide.

andreimirt commented

Thanks for the explanation. At a second read of the ldapjs issues, with your comment in mind, everything is much clearer.
I suppose you are not aware of any workaround for the Filter: (userAccountControl:1.2.840.113556.1.4.803:=2);, as you would have probably mentioned it. Based on the error alone, it looks as if I should be able to create an extensible filter (for whatever that is) specifically for this. I probably won't do it, as I'd have to first figure it out, and then not be able to easily upgrade to your next version. I'll open an issue on ldapjs for v3, and maybe it will get implemented there.

I'll keep an eye on ldapjs and your wrapper. Thanks!

MFA is not important for me, but I can't seem to be able to disable it, even though, security defaults are disabled, per-user MFA is disabled, and I don't have access to conditional access, as I use 365 standard (only premium and up have conditional access). I guess I'll figure it out with Microsoft.

ahaenggli commented

Thank you for your response and for sharing your understanding of the issue. Filters in LDAP heavily depend on the backend, and there is no default way to implement such filters. The filter (userAccountControl:1.2.840.113556.1.4.803:=2) is specific to Active Directory, and neither this wrapper nor ldapjs are meant to be a fully implemented AD.

Given a quick view into the docs of gitlab, i would suggest one of those options:

Regarding your question about MFA, if it is not important for you, but you can't seem to disable it, you could try to set the environment variable GRAPH_IGNORE_MFA_ERRORS for the wrapper.