Re: LDAP Binding



I think your main problem here is that you are doing a Base level query in
SDS.P and doing a Subtree query (the default) in SDS, so your searches are
not equivalent. Try setting the scope to subtree. I also have a feeling
like your code to create your array of strings as your attribute list might
not be working correctly. You might consider using this method of declaring
an array of known strings:

string[] shortList = new string[] {"dn", "pid", "givenName"};

Try that out and see if it works. Once you are finding matches, then the
rest should be in returning the results.

If you want to switch to SSL LDAP and don't have an easy way of dealing with
certificate trust issues in Windows, then you can use SDS.P with the
VerifyServerCertificateCallback to essentially tell Windows to ignore any
SSL errors encountered. It would seem like that is your primary motivator
for switching to SDS.P in the first case, since you have the search working
ok with SDS.

With SDS, note that if you want to do a true anonymous search (no LDAP bind
operation), then you can specify empty strings for username and password and
use AuthenticationTypes.Anonymous. If you want to do the LDAP "anonymous
user" bind, you typically do a simple bind (AuthenticationTypes.None) with a
username and empty string password. They are semantically a little
different, so it depends on what the server wants. If you want to
authenticate, then that's different. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Toby Considine (UNC)" <Toby.Considine.nospam@xxxxxxx> wrote in message
news:e2KkrO2iHHA.1000@xxxxxxxxxxxxxxxxxxxxxxx
OK - I'm trying to bind securely to a third party LDAP Server. Following
the advice above. I have switched to the DirectoryServices.Protocols
(SS.P) rather than the AD oriented SS protocols.Problem is, I can't bind.
Heck, I can't even query. So assuming I want to use the SS.P Stack, I
figured if I could get the base query to work, I could thenm debug the
BINDing.



First, all the common information:



private string server = "ldap.unc.edu:389";

private string secureServer = "ldap.unc.edu:636";

private string distinguishedName = "dc=dum,dc=edu";

LdapDirectoryIdentifier idPublic;

LdapDirectoryIdentifier idSecure;

private string[] shortList;

private string[] longList;



protected void Page_Load(object sender, EventArgs e)

{

idPublic = new LdapDirectoryIdentifier(server);

idSecure = new LdapDirectoryIdentifier(secureServer);

shortList = "dn,pid,givenName".Split("'".ToCharArray());

longList =
"displayname,givenname,sn,ou,title,postaladdress,mail,telephoneNumber,pid,uid,facsimileTelephoneNumber".Split("'".ToCharArray());





Next, the first format, using the AD Aware stack works.



private string FindEntry(string Account)

{

string filterString;

string displayName = string.Empty;

System.DirectoryServices.SearchResultCollection results;

try

{

filterString = String.Format("(&(objectClass=Staff)
(uid={0}))", Account); ;

DirectoryEntry de = new DirectoryEntry(

string.Format(@"LDAP://{0}/{1}";,

server,

distinguishedName )

);

de.AuthenticationType = AuthenticationTypes.None; //Thanks
Ralph!

DirectorySearcher ds = new DirectorySearcher(de);

ds.Filter = filterString;

ds.PropertiesToLoad.Add("displayname");

ds.PropertiesToLoad.Add("givenname");

ds.PropertiesToLoad.Add("sn");

ds.PropertiesToLoad.Add("pid");

ds.PropertiesToLoad.Add("uid");

results = ds.FindAll();



if (results.Count == 0)

{

displayName = null;

return displayName;

}

foreach (SearchResult resEnt in results)

{

ResultPropertyCollection propcoll = resEnt.Properties;

foreach (string key in propcoll.PropertyNames)

{

foreach (object value in propcoll[key])

{

if (key.ToString().StartsWith("displayname"))

{

displayName = value.ToString();

}

}

}

}

}

return displayName;

}

}



Second Format using SS.P Only, no longer throws errors, but always returns
0 matches. What am I missing?





private bool tryLookup( string Account)

{

LdapConnection ldap = new LdapConnection(

idPublic,

null,

AuthType.Anonymous);

ldap.Bind();



string filter = String.Format("(&(objectClass=Staff) (uid={0}))",
Account); ;



SearchRequest request = new SearchRequest(

distinguishedName,

filter,

System.DirectoryServices.Protocols.SearchScope.Base,

shortList

);

SearchResponse response =
(SearchResponse)ldap.SendRequest(request);



//lblDebug.Text = request.RequestId.

if (response.ResultCode != ResultCode.Success)

throw new Exception(response.ErrorMessage);



lblDebug.Text = response.Entries.Count.ToString();

//foreach (SearchResultEntry result in response.Entries)



SearchResultEntryCollection sre = response.Entries;

foreach (SearchResultEntry result in sre)

{

lblDebug.Text = String.Format(

"{0}<br>{1}",

lblDebug.Text,

result.DistinguishedName

);

}

lblDebug.Text = String.Format(

"{0}<br>{1}",

lblDebug.Text,

filter

);












"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OHOhDjHiHHA.4552@xxxxxxxxxxxxxxxxxxxxxxx
It sounds like an SSL error. "Server not available" is the standard
error message if the SSL connection cannot be negotiated. Are you
certain the directory supports SSL? If you are, it is likely a
certificate trust issue or a name mismatch.

For the name mismatch, just make sure you are binding using the same DNS
on the cert as what you use in your binding string. If there is a trust
issue, you need to make sure the root CA in the cert chain of the
server's cert is in the trusted roots container in the machine store.

If you want, you can also recode the whole thing using S.DS.Protocols
instead. With it, you can hook the SSL handshake via the
VerifyServerCertificateCallback and override the SSL validation to
potentially ignore the error if you like. S.DS.Protocols might make some
OpenLDAP stuff easier to deal with as well (although S.DS might work ok).

I hope that helps,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Toby Considine (UNC)" <Toby.Considine.nospam@xxxxxxx> wrote in message
news:997D10C5-A28B-4FB5-9E05-B3956A7112D1@xxxxxxxxxxxxxxxx
I am at a University wherein , use OpenLDAP for the central security. I
am trying to create a standard MemberShip provider to allow those of us
who like to program in asp.net to develop identity aware applications for
IIS servers. (asp.net 2.0)

I can bind to the LDAP server anonymously. I can query same using the
normal DirectoryService namespace.

Every time I try to bind with a users account and password under SSL to
log the user in, I fail, with a "Server Not Available". I can use the
same connection string with the Anonymous settings and query information
on the user just fine.

I see lots of people with similar problems on the web. Has anyone solved
this?

thanks

tc







.



Relevant Pages

  • Re: LDAP Binding - solved
    ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Hooking the SSL bind Cert event and returning true solved that. ... username and empty string password. ...
    (microsoft.public.dotnet.security)
  • Re: LDAP Binding - solved
    ... Thanks so much for your help, Joe. ... Hooking the SSL bind Cert event and returning true solved that. ... username and empty string password. ...
    (microsoft.public.dotnet.security)
  • RE: Auto Fill Data
    ... > your query, and bind it to the SSN. ... > Private Sub cboJobNumber_NotInList(NewData As String, ...
    (microsoft.public.access.forms)
  • Re: SSHD revelaing too much information.
    ... > you've been able to block BIND from giving out it's version number ... > without recompiling by creating a chaos/bind zone and adding a query ... server must offer a version string to the client, ... blocking the query is not possible in the same style as a DNS query (you ...
    (FreeBSD-Security)
  • Re: Problems with Delete Command
    ... The SQL could get fairly messy if you need to construct it in code, ... ContactID, and WebComID, and create your on-the-fly SQL on that saved query, ... to find the list of ContactIDs from the junction table, ... This is a style/readability thing: if you are going to use string ...
    (microsoft.public.access.tablesdbdesign)