Re: LDAP and SASL
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Dec 2005 23:26:49 -0600
Getting client certficates to work under ASP.NET is a bit of PITA because
the private key for the cert is usually stored in the user's profile and
that won't be loaded in the context of ASP.NET. The private key needs to be
installed in the machine store instead.
What I would suggest doing would be to export the certificate and private
key from your personal store and make sure it is installed in the machine
store.
Then, the next thing to do is to make sure that the account that is being
used to execute the request has permissions on the private key. This is
much trickier part as there are many different options for what that account
might be depending on how you have configured the web app. You can find out
the identity of the current thread with
System.Security.Principal.WindowsIdentity.GetCurrent().Name.
I think it would be best to try to make sure you can get the LDAP client
certificate thing working in a console app first before trying to move it
into an ASP.NET context though. There is no telling whether that part alone
will work correctly. Hopefully there won't be an issue, but you want to try
to isolate that from the web app while that is still an unknown.
Joe K.
"Amar" <Amar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D8FCA27-79BD-4DF0-A5F5-922CAA0D08E8@xxxxxxxxxxxxxxxx
> Thanks Joe. I did try specifying the authentication types. But when i read
> your reply, i do have reason to believe that there is some problem with
> the
> client cert. Can you please tell us the steps to make our website use the
> client certificate. Let me give you a brief status.
> My system administrator requested 2 certificates from the university
> central
> computing resources. One was a SSL server certificate and another was a
> client certificate which was provided by the group that handles the
> enterprise directory on campus.
> My sys admin installed both those certificates on the webserver. When we
> run
> the Certificates.msc console, we can see both the certificates listed
> under
> the folder listing Certificates-Personal-Certificates-Both present here.
> Now how do i make my website make use of these certificates? Do i have to
> make some special changes to my website on IIS? I use IIS6.0 on windows
> 2003
> server and use my laptop with VS.NET 2003 to work remotely on the server.
> Thank you so much Joe. Really appreciate your help.
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
>> ADSI and the LDAP API will happily try to supply a client cert during the
>> LDAP SSL handshake if one is available and configured correctly.
>>
>> Joe K.
>> "Amar" <Amar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:28B6C75F-DC4B-45EC-89AD-027895D2E7F5@xxxxxxxxxxxxxxxx
>> >I am a newbie with enterprise directories. I am trying to write an
>> >ASP.NET
>> > application to fetch some data from my university LDAP enterprise
>> > directory.
>> > There are 2 types of access allowed to the LDAP server. One is a
>> > anonymous
>> > access and another is the access that exists mainly to give privileged
>> > accounts access to person information that can otherwise not be
>> > publicly
>> > viewed. These privileged accounts, called Y Services, are primarily
>> > used
>> > to
>> > look up person data and authorize people on this data.
>> >
>> > Now, i was able to use the anonymous access priviliges and view the
>> > data
>> > from LDAP server. What i want to do is to use the Y services and view
>> > the
>> > person information that cannot be accessed via the anonymous access.
>> > For
>> > example i want to view the date of birth for the person which is
>> > available
>> > in
>> > the Y Services access.
>> >
>> > The university instructions say the following:
>> >
>> > What you see in Y Services is dependent on how you bind (anonymous,
>> > simple,
>> > SASL EXTERNAL) and the amount of privileges the bound user has.
>> > Connecting
>> > to
>> > Y Services requires the use of TLS client certificate authentication,
>> > meaning
>> > you must have a signed certificate from the uiniversity in order to
>> > connect.
>> > Users bound anonymously can only search on ID and can only see the DN
>> > (distinguished name) of any user. Users that have performed a SASL
>> > EXTERNAL
>> > bind can only see those attributes they have been approved to see (for
>> > all
>> > users), and only if the corresponding service is ACTIVE.
>> >
>> > Now, i know that the TLS client certificate has been installed on my
>> > server
>> > by my Sys admin. Please tell me the steps to do the bind and fetch the
>> > date
>> > of birth for all people in department X.
>> >
>> > Here is the anonymous bind code.
>> >
>> > Dim deLdapConn As DirectoryEntry = New
>> > DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu";)
>> >
>> > Dim searcherLdap As New DirectorySearcher(deLdapConn)
>> >
>> > Dim Results As SearchResultCollection
>> >
>> > Dim propcoll As ResultPropertyCollection
>> >
>> > Dim Result As SearchResult
>> >
>> > Dim strKey As String
>> >
>> > Dim obProp As Object
>> >
>> > iNumProperties = 0
>> >
>> >
>> >
>> > Try
>> >
>> > searcherLdap.Filter = "(department=X)"
>> >
>> > searcherLdap.PropertiesToLoad.Add("sn")
>> >
>> > searcherLdap.PropertiesToLoad.Add("givenname")
>> >
>> > searcherLdap.PropertiesToLoad.Add("telephonenumber")
>> >
>> > searcherLdap.PropertiesToLoad.Add("uupid")
>> >
>> > Results = searcherLdap.FindAll
>> >
>> > iNumProperties = Results.Count()
>> >
>> > ReDim arrFName(iNumProperties - 1)
>> >
>> > ReDim arrLName(iNumProperties - 1)
>> >
>> > ReDim arrPhone(iNumProperties - 1)
>> >
>> > ReDim arrEmail(iNumProperties - 1)
>> >
>> > ReDim arrDob(iNumProperties - 1)
>> >
>> > iNumProperties = 0 ' Sets the start index for arrays
>> >
>> > For Each Result In Results ' Starts the loop where result stores 1
>> > record
>> > and resultS stores all records
>> >
>> > propcoll = Result.Properties ' Gets the all the properties (fieldnames)
>> > for
>> > that record
>> >
>> > For Each strKey In propcoll.PropertyNames ' Loop through each field
>> > name
>> > for
>> > the selected record
>> >
>> > iOnce = 0
>> >
>> > For Each obProp In propcoll(strKey)
>> >
>> > If strKey = "givenname" Then
>> >
>> > arrFName(iNumProperties) = obProp
>> >
>> > End If
>> >
>> > If strKey = "sn" Then
>> >
>> > arrLName(iNumProperties) = obProp
>> >
>> >
>> > End If
>> >
>> > If strKey = "telephonenumber" Then
>> >
>> >
>> > arrPhone(iNumProperties) = obProp
>> >
>> > End If
>> >
>> > If strKey = "uupid" Then
>> >
>> > arrEmail(iNumProperties) = obProp
>> >
>> > End If
>> >
>> > Next
>> >
>> > Next
>> >
>> > iNumProperties = iNumProperties + 1
>> >
>> > Next
>> >
>> > searcherLdap.Dispose()
>> >
>> > searcherLdap = Nothing
>> >
>> > deLdapConn.Close()
>> >
>> > deLdapConn = Nothing
>> >
>> > Catch Ex As Exception
>> >
>> > Response.Write(Ex.ToString)
>> >
>> > End Try
>> >
>> >
>> >
>> > Please help me!! THANKS IN ADVANCE!!
>> >
>> >
>>
>>
>>
.
- References:
- LDAP and SASL
- From: Amar
- Re: LDAP and SASL
- From: Joe Kaplan \(MVP - ADSI\)
- Re: LDAP and SASL
- From: Amar
- LDAP and SASL
- Prev by Date: Re: ASP.NET IMPERSONATION AND ORACLE 8.1.7
- Next by Date: Re: ASP.NET IMPERSONATION AND ORACLE 8.1.7
- Previous by thread: Re: LDAP and SASL
- Next by thread: Re: How to get of last created user using CreateUserWizard?
- Index(es):
Relevant Pages
|
|
