Prefer bind user

[srosenhamer]

Description

In configuring this connector for use with our FreeIPA ldap server we found that we were unable to authenticate using an email address even though the FreeIPA configuration supports it. After working with the auth0 support team, ticket #02310390, it was determined that the email authentication may be failing due to the fact that the connector defaults to anonymous search if that is enabled on the server even if bind credentials are specified. This is likely due to the limited amount of user data provided by the server under anonymous search. I did some testing and found that if the bind credentials were used instead of anonymous search then the email authentication would succeed. In our case, we are unable to disable anonymous search at this time on our FreeIPA server due to several factors so, we needed a different solution.

What I came up with is this pull request which adds a setting to the config.json named LDAP_PREFER_BIND_CREDENTIALS. When set to true, and with just a few lines of code changed, the communication with the ldap server is done via the specified LDAP_BIND_USER and LDAP_BIND_PASSWORD rather than the anonymous search.

References

https://support.auth0.com/tickets/02310390 - not sure if you're able to access the support ticket from that link, but there it is anyway.

Testing

This was tested in our environment by replacing lib/ldap.js and server.js on our running connector with the versions in this pull request, prior to the change, authentication by email would always fail with the following message logged:

Jun 29 13:15:33 auth0-ldap-connector node[2569]: [2023-06-29 13:15:33] user steve.rosenhamer@adfitech.com: Starting authentication attempt.
Jun 29 13:15:33 auth0-ldap-connector node[2569]: [2023-06-29 13:15:33] user steve.rosenhamer@adfitech.com: Authentication attempt failed. Reason: wrong username

After the files were replaced, authentication succeeds:

Jun 29 13:47:16 auth0-ldap-connector node[2711]: [2023-06-29 13:47:16] user steve.rosenhamer@adfitech.com: Starting authentication attempt.
Jun 29 13:47:16 auth0-ldap-connector node[2711]: [2023-06-29 13:47:16] user steve.rosenhamer@adfitech.com: Queueing bind with DN "uid=spr,cn=users,cn=accounts,dc=adfitech,dc=com"
Jun 29 13:47:16 auth0-ldap-connector node[2711]: [2023-06-29 13:47:16] user steve.rosenhamer@adfitech.com: Bind OK.
Jun 29 13:47:16 auth0-ldap-connector node[2711]: [2023-06-29 13:47:16] user steve.rosenhamer@adfitech.com: Enrich profile.
Jun 29 13:47:16 auth0-ldap-connector node[2711]: [2023-06-29 13:47:16] user steve.rosenhamer@adfitech.com: Enrich profile OK.
Jun 29 13:47:16 auth0-ldap-connector node[2711]: [2023-06-29 13:47:16] user steve.rosenhamer@adfitech.com: Authentication succeeded.

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs - added to README.md, I have no access to edit auth0.com/docs but this new setting should be added to https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/ad-ldap-connector-config-file-schema if the pull request is accepted
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch