Re: Pure LDAP Authentication using vb.net

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Sep 2006 09:49:18 -0500

My book has some stuff showing how to do an LDAP bind to a directory in
order to implement LDAP authentication (ch 12). Most of it deals directly
with AD or ADAM, but it can be applied to other directories.

The trick with most non-MS directories is that none of the
Microsoft-specific authentication mechanisms like GSS-SPNEGO will work, so
you will likely need to use something like LDAP simple bind. This must be
secured with an SSL/LDAP connection to the server, as simple bind uses
plaintext credentials.

Getting group membership is something that is typically done with some sort
of search against the directory, but the specifics of it will vary from
directory to directory. You probably should get an explanation of how it is
done for this product in terms of pure LDAP operations. Then you can
translate that into .NET.

You may also be more successful using something like
System.DirectoryServices.Protocols (SDS.P) in .NET 2.0 rather than the
higher level System.DirectoryServices (SDS), as the latter uses ADSI under
the hood, and ADSI tends to make a lot of default assumptions about talking
to AD that can make things complicated. You get more control with SDS.P.

The code samples from my book can be downloaded for free from the site in my
sig. Ch 12 has the auth samples. I'd suggest modifying the SDS.P sample to
suit your needs.

Best of luck,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Chris Davoli" <ChrisDavoli@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DB954602-8876-492A-A488-9D4CE68B6FD3@xxxxxxxxxxxxxxxx

I need a vb.net sample code that authenticates users against a repository
that supports LDAP. The resposiitory is NOT Active Directory. After
authentication it would be great if the sample code also retrieves group
membership using LDAP.

--
Chris Davoli

Prev by Date: Re: Authentication problem
Next by Date: Re: Different results between declarative and imperative security
Previous by thread: Different results between declarative and imperative security
Next by thread: Re: Pure LDAP Authentication using vb.net
Index(es):
- Date
- Thread

Relevant Pages

Re: LDAP authentication security ?
... Using an internally rooted CA can be less expensive, but it is less easy to get all of the clients to trust your certs issued by this CA, especially in an environment that includes non-Windows machines that can't take advantage of auto enrollment or GPO for distributing trusted roots. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ...
(microsoft.public.windows.server.security)
Re: Recommended strategy for providing access to web apps via Inte
... LDAP is an ugly solution on the public internet, ... These federated authentication protocols are designed to address these ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.windows.server.active_directory)
Re: passwd_compat: ldap?
... but doesn't implement doing an actual bind ... operation to perform authentication. ... support a bind for authentication either (or doesn't support returning a ... with PADL's) to perform authentication against LDAP in that environment. ...
(Fedora)
Re: Recommended strategy for providing access to web apps via Inte
... "Joe Kaplan" wrote: ... opened the firewall up for LDAP, the external entity can execute ANY LDAP ... These federated authentication protocols are designed to address these ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.windows.server.active_directory)
Re: LDAP authentication security ?
... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ... If you need SSL, AD supports SSL LDAP just fine, assuming you get a certificate for your domain controllers. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.windows.server.security)