There are several methods to authenticate a user via an external LDAP server. I was given the task of allowing our web application to authenticate against an external SunOne directory server. There is quite a bit of documentation detailing how to authenticate against active directory from a web application but quite a bit less about how to authenticate against other third party LDAP servers. I’ve been able to get our web application working against OpenLDAP as well as SunOne. SSL was required against the SunOne server and I will detail some tips on getting that working as well.
The simplest form is authentication against active directory. You can accomplish this with the following code, the hostname can actually be left as an empty string and it will automatically use the local host that your .net code is executing on. If your web/iis server is part of your active directory this works really well.
Dim Entry As New System.DirectoryServices.DirectoryEntry(hostname, username, password,System.DirectoryServices.AuthenticationTypes.Secure) Dim Searcher As New System.DirectoryServices.DirectorySearcher(Entry) Searcher.SearchScope = DirectoryServices.SearchScope.Subtree Try Dim Results As System.DirectoryServices.SearchResult = Searcher.FindOne Response.Write("<B>It Worked</b>") Catch ex As Exception Response.Write("Error authenticating user. " & ex.Message) End Try
For standard LDAP many of the examples found on the net create a new search and then run the search looking for the users information. For the AutenticationTypes you can choose None for standard socket connection or SecureSocketsLayer for an SSL connection.
Dim at As System.DirectoryServices.AuthenticationTypes at = System.DirectoryServices.AuthenticationTypes.None Dim entry As System.DirectoryServices.DirectoryEntry = New System.DirectoryServices.DirectoryEntry( domainAndUsername, LuserName, LpassWord, at) Try Dim search As System.DirectoryServices.DirectorySearcher = New System.DirectoryServices.DirectorySearcher(entry) search.SearchScope = System.DirectoryServices.SearchScope.Subtree search.Filter = "objectClass=*" Dim result As System.DirectoryServices.SearchResult = search.FindOne() Response.Write("You were authenticated correctly") Catch ex As Exception Response.Write("Error authenticating user. " & ex.Message) End Try
Alternate LDAP Method
An alternate method that can be done is to bind without a search. I ran into a case where normal user accounts on the ldap server had search privileges revoked which caused problems trying to use the above method. The alternate method I came up with was to query the directory name and check the status of that call.
Dim at As System.DirectoryServices.AuthenticationTypes at = System.DirectoryServices.AuthenticationTypes.None Dim entry As System.DirectoryServices.DirectoryEntry = New System.DirectoryServices.DirectoryEntry( domainAndUsername, LuserName, LpassWord, at) Dim serverName As String = "" Try serverName = entry.Name Response.Write("You are authenticated") Catch ex As Exception Response.Write("Error Authenticating user. " & ex.Message) End Try
There are three main reasons that SSL won’t work:
Essentially, these are the same reasons you get a certificate warning dialog in IE, except that LDAP always fails on these conditions. A very good way to test if the machine your code is running on is setup properly with a valid certificate is to use the ldp.exe tool which uses the same .NET connection services that you will be leveraging in your code. I’ve been able to troubleshoot and solve several installations using this tool to illustrate that the issue was not with our product but the machine setup. You can find the ldp.exe utility on the Server 2003 tools cd or here at Microsoft.