Auth LDAP and cyrillic letters in OU. "lde_dn": null. Backend returned code 400, errorMessage is: Invalid grant: user credentials are invalid

[getsueineko]

Describe the current behavior

Thanks to the help of the guys from GitHub, I resolved my first problem.

But it turned out that this is not all. The problem was that if the account is in the OU with cyrillic symbols, I will still get same error. If I use ldapsearch to check the correctness and incorrectness of the accouns, it turns out that if the OU name uses cyrillic symbols, I will get a base64 response, and after dn there will be two colons instead of one. I think this is the problem. Is it possible to fix this?

Steps to reproduce

1. I have correctly configured the plugin as described here
2. After that I try to log in with two different accounts.
   2.1 CN=test.peertube2,OU=IT,DC=example,DC=local. All is well and there are no errors.
   2.2 CN=test.peertube3,OU=Департамент чудес,OU=Cubic,DC=example,DC=local and I get an error.

[peertube-dev.example.com:443] 2024-09-13 07:54:58.670 info: 10.17.82.63 - - [13/Sep/2024:07:54:58 +0000] "POST /api/v1/server/logs/client HTTP/1.0" 204 - "https://peertube-dev.example.com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
[peertube-dev.example.com:443 peertube-plugin-auth-ldap] 2024-09-13 07:55:20.170 warn: Cannot login test.peertube3 in LDAP plugin. {
  "err": {
    "stack": "InvalidCredentialsError: Invalid Credentials\n    at messageCallback (/data/plugins/node_modules/ldapjs/lib/client/client.js:1267:45)\n    at Parser.onMessage (/data/plugins/node_modules/ldapjs/lib/client/client.js:925:14)\n    at Parser.emit (node:events:517:28)\n    at Parser.write (/data/plugins/node_modules/ldapjs/lib/messages/parser.js:135:8)\n    at Socket.onData (/data/plugins/node_modules/ldapjs/lib/client/client.js:875:22)\n    at Socket.emit (node:events:517:28)\n    at addChunk (node:internal/streams/readable:368:12)\n    at readableAddChunk (node:internal/streams/readable:341:9)\n    at Readable.push (node:internal/streams/readable:278:10)\n    at TCP.onStreamRead (node:internal/stream_base_commons:190:23)",
    "lde_message": "Invalid Credentials",
    "lde_dn": null
  }
}
[peertube-dev.example.com:443] 2024-09-13 07:55:20.198 warn: Login error {
  "err": {
    "stack": "invalid_grant: Invalid grant: user credentials are invalid\n    at handlePasswordGrant (file:///app/dist/core/lib/auth/oauth.js:112:15)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async handleToken (file:///app/dist/core/controllers/api/users/token.js:32:23)",
    "message": "Invalid grant: user credentials are invalid",
    "statusCode": 400,
    "status": 400,
    "code": 400,
    "name": "invalid_grant"
  }
}
[peertube-dev.example.com:443] 2024-09-13 07:55:20.201 info: 10.17.82.63 - - [13/Sep/2024:07:55:20 +0000] "POST /api/v1/users/token HTTP/1.0" 400 325 "https://peertube-dev.example.com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
[peertube-dev.example.com:443] 2024-09-13 07:55:20.268 error: Client log: Backend returned code 400, errorMessage is: Invalid grant: user credentials are invalid {
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
  "meta": "{\"url\":\"https://peertube-dev.example.com/api/v1/users/token\"}",
  "url": "https://peertube-dev.example.com/login"
}

Please note that in the error response we see the following:

    "lde_message": "Invalid Credentials",
    "lde_dn": null

If I check them with a ldapsearch, I got the following results:

ldapsearch -H ldap://dc.example.local -x -W -D "[email protected]" -b "DC=example,DC=local" (sAMAccountName=test.peertube2)"
dn: CN=test.peertube2,OU=IT,DC=example,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test.peertube2
sn: test.peertube2
distinguishedName: CN=test.peertube2,OU=IT,DC=example,DC=local

ldapsearch -H ldap://dc.example.local -x -W -D "[email protected]" -b "DC=example,DC=local"(sAMAccountName=test.peertube3)"
dn:: Q049dGVzdC5wZWVydHViZTMsT1U90JTQtdC/0LDRgNGC0LDQvNC10L3RgiDRh9GD0LTQtdGBLE9VPUN1YmljLERDPWV4YW1wbGUsREM9bG9jYWw=
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test.peertube3
sn: test.peertube3
distinguishedName:: Q049dGVzdC5wZWVydHViZTMsT1U90JTQtdC/0LDRgNGC0LDQvNC10L3RgiDRh9GD0LTQtdGBLE9VPUN1YmljLERDPWV4YW1wbGUsREM9bG9jYWw=

Describe the expected behavior

I must enter with an AD user

Additional information

PeerTube instance:
Version: 6.2.1

[Chocobozzz]

The plugin uses https://github.com/vesse/node-ldapauth-fork. Can you try using this library directly?

[getsueineko]

The plugin uses https://github.com/vesse/node-ldapauth-fork. Can you try using this library directly?

Unfortunately, I am not a programmer =( This is difficult for me.

[Alterak]

You probably have the same problem as me. #6549 (comment)

[Chocobozzz]

I think it's related to vesse/node-ldapauth-fork#110

I reverted dependency upgrade to use ldapauth-fork@5. Please try [email protected] that should fix your issue