LDAP authentication via .net
There are several methods to authenticate a user via an external LDAP server. I was given the task of allowing our web application to authenticate against an external SunOne directory server. There is quite a bit of documentation detailing how to authenticate against active directory from a web application but quite a bit less about how to authenticate against other third party LDAP servers. I’ve been able to get our web application working against OpenLDAP as well as SunOne. SSL was required against the SunOne server and I will detail some tips on getting that working as well.
The simplest form is authentication against active directory. You can accomplish this with the following code, the hostname can actually be left as an empty string and it will automatically use the local host that your .net code is executing on. If your web/iis server is part of your active directory this works really well.
Active Directory
Dim Entry As New System.DirectoryServices.DirectoryEntry(hostname, username,
password,System.DirectoryServices.AuthenticationTypes.Secure)
Dim Searcher As New System.DirectoryServices.DirectorySearcher(Entry)
Searcher.SearchScope = DirectoryServices.SearchScope.Subtree
Try
Dim Results As System.DirectoryServices.SearchResult = Searcher.FindOne
Response.Write("<B>It Worked</b>")
Catch ex As Exception
Response.Write("Error authenticating user. " & ex.Message)
End Try
LDAP
For standard LDAP many of the examples found on the net create a new search and then run the search looking for the users information. For the AutenticationTypes you can choose None for standard socket connection or SecureSocketsLayer for an SSL connection.
Dim at As System.DirectoryServices.AuthenticationTypes
at = System.DirectoryServices.AuthenticationTypes.None
Dim entry As System.DirectoryServices.DirectoryEntry =
New System.DirectoryServices.DirectoryEntry(
domainAndUsername, LuserName, LpassWord, at)
Try
Dim search As System.DirectoryServices.DirectorySearcher =
New System.DirectoryServices.DirectorySearcher(entry)
search.SearchScope = System.DirectoryServices.SearchScope.Subtree
search.Filter = "objectClass=*"
Dim result As System.DirectoryServices.SearchResult = search.FindOne()
Response.Write("You were authenticated correctly")
Catch ex As Exception
Response.Write("Error authenticating user. " & ex.Message)
End Try
Alternate LDAP Method
An alternate method that can be done is to bind without a search. I ran into a case where normal user accounts on the ldap server had search privileges revoked which caused problems trying to use the above method. The alternate method I came up with was to query the directory name and check the status of that call.
Dim at As System.DirectoryServices.AuthenticationTypes
at = System.DirectoryServices.AuthenticationTypes.None
Dim entry As System.DirectoryServices.DirectoryEntry =
New System.DirectoryServices.DirectoryEntry(
domainAndUsername, LuserName, LpassWord, at)
Dim serverName As String = ""
Try
serverName = entry.Name
Response.Write("You are authenticated")
Catch ex As Exception
Response.Write("Error Authenticating user. " & ex.Message)
End Try
Troubleshooting SSL
There are three main reasons that SSL won’t work:
- The DNS name in your binding string doesn’t match the DNS name in the cert
- The cert is expired or not yet valid
- The local client does not trust the server’s certificate
Essentially, these are the same reasons you get a certificate warning dialog in IE, except that LDAP always fails on these conditions. A very good way to test if the machine your code is running on is setup properly with a valid certificate is to use the ldp.exe tool which uses the same .NET connection services that you will be leveraging in your code. I’ve been able to troubleshoot and solve several installations using this tool to illustrate that the issue was not with our product but the machine setup. You can find the ldp.exe utility on the Server 2003 tools cd or here at Microsoft.