Re: LDAP Authentication
From: Mark Schupp (mschupp_at_ielearning.com)
Date: 05/29/03
- Next message: Jason S: "Re: Cookies can't be deleted"
- Previous message: Seth: "Re: How many certificates"
- In reply to: Jim: "Re: LDAP Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 May 2003 12:30:23 -0700
>From MSDN Lib.
ADS_AUTHENTICATION_ENUM [C++]
The ADS_AUTHENTICATION_ENUM enumeration specifies authentication options
used in ADSI for binding to directory service objects. When calling
IADsOpenDSObject or ADsOpenObject to bind to an ADSI object, you must supply
at least one of the options. In general, different providers will have
different implementations. The options documented here apply to the
providers supplied by Microsoft® that are shipped with the ADSI SDK. For
more information, see ADSI System Providers.
typedef enum {
ADS_SECURE_AUTHENTICATION = 0x1,
ADS_USE_ENCRYPTION = 0x2,
ADS_USE_SSL = 0x2,
ADS_READONLY_SERVER = 0x4,
ADS_PROMPT_CREDENTIALS = 0x8,
ADS_NO_AUTHENTICATION = 0x10,
ADS_FAST_BIND = 0x20,
ADS_USE_SIGNING = 0x40,
ADS_USE_SEALING = 0x80,
ADS_USE_DELEGATION = 0x100,
ADS_SERVER_BIND = 0x200
} ADS_AUTHENTICATION_ENUM;
Elements
ADS_SECURE_AUTHENTICATION
Requests secure authentication. When this flag is set, the WinNT provider
uses NT LAN Manager (NTLM) to authenticate the client. Active Directory will
use Kerberos, and possibly NTLM, to authenticate the client. When the user
name and password are NULL, ADSI binds to the object using the security
context of the calling thread, which is either the security context of the
user account under which the application is running or of the client user
account that the calling thread is impersonating.
ADS_USE_ENCRYPTION
Forces ADSI to use encryption for data exchange over the network.
ADS_USE_SSL
Encrypts the channel with SSL. Data will be encrypted using SSL. Active
Directory requires that the Certificate Server be installed to support SSL
encryption.
ADS_READONLY_SERVER
For a WinNT provider, ADSI tries to connect to a primary domain controller
(PDC) or a backup domain controller (BDC). For Active Directory, this flag
indicates that a writeable server is not required for a serverless binding.
ADS_PROMPT_CREDENTIALS
This flag is deprecated.
ADS_NO_AUTHENTICATION
Request no authentication. The providers may attempt to bind client, as an
anonymous user, to the targeted object. The WinNT provider does not support
this flag. Active Directory establishes a connection between the client and
the targeted object, but will not perform any authentication. Setting this
flag amounts to requesting an anonymous binding, which means "Everyone" as
the security context.
ADS_FAST_BIND
When this flag is set, ADSI will not attempt to query the objectClass
property and thus will only expose the base interfaces supported by all ADSI
objects instead of the full object support. A user can use this option to
boost the performance in a series of object manipulations that involve only
methods of the base interfaces. However, ADSI will not verify if any of the
request objects actually exist on the server. For more information, see
"Fast Binding Options for Batch Write/Modify Operations" in Active Directory
Programmer's Guide.
ADS_USE_SIGNING
Verifies data integrity to ensure the data received is the same as the data
sent. The ADS_SECURE_AUTHENTICATION flag must be set also in order to use
the signing.
ADS_USE_SEALING
Encrypts data using Kerberos. The ADS_SECURE_AUTHENTICATION flag must be set
also in order to use the sealing.
ADS_USE_DELEGATION
Enables ADSI to delegate the user's security context, which is necessary for
moving objects across domains.
ADS_SERVER_BIND
Windows 2000 SP1 and later: Specify this flag when using the LDAP provider
if your ADsPath includes a server name. Do not use this flag for paths that
include a domain name or for serverless paths. If you specify a server name
without also specifying this flag, unnecessary network traffic is the
result.
Remarks
The ADS_SECURE_AUTHENTICATION flag can be used in combination with other
flags such as ADS_READONLY_SERVER, ADS_PROMPT_CREDENTIALS, ADS_FAST_BIND,
etc.
Serverless binding refers to a process in which a client attempts to bind to
an Active Directory object without explicitly specifying an Active Directory
server in the binding string, for example,
"LDAP://CN=jsmith,DC=Microsoft,DC=Com". This is possible because the LDAP
provider relies on the locator services of Windows® 2000 to find the best
domain controller (DC) for the client. However, the client must have an
account on the Active Directory domain controller in order to take advantage
of the serverless binding feature.
Note Because VBScript cannot read information from a type library, VBScript
applications do not understand the symbolic constants as defined above. You
should use the numerical constants instead to set the appropriate flags in
your VBScript applications. If you want to use the symbolic constants as a
good programming practice, you should make explicit declarations of such
constants, as done here, in your VBScript applications.
Example Code [Visual Basic]
The following Visual Basic® code snippet illustrates how to use
IADsOpenDSObject to open the "Administrator" user object on "Microsoft" with
secure authentication for the WinNT provider.
Dim dso As IADsOpenDSObject
Dim domain As IADsDomain
Set dso = GetObject("WinNT:")
Set domain = dso.OpenDSObject("WinNT://Microsoft", "Administrator",
"secret", ADS_SECURE_AUTHENTICATION)
Example Code [C++]
The following C/C++ code snippet illustrates how the
ADS_SECURE_AUTHENTICATION flag is used with ADsOpenObject for validating the
user bound as "JSmith".
IADs *pObject;
HRESULT hr;
hr = ADsOpenObject(L"LDAP://CN=Jsmith, DC=Microsoft, DC=com",
L"Microsoft\\JSmith", L"password",
ADS_SECURE_AUTHENTICATION, IID_IADs,
(void**) &pObject);
The user name can be of the UPN format: "JSmith@Microsoft.com", as well as
the distinguished name format: "CN=JSmith,DC=Microsoft,DC=COM".
Requirements
Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 SP6a or later
with DSClient).
Windows 95/98: Requires Windows 95/98 (with IE 4.01 or later and
DSClient). Not supported on Windows Me.
Header: Declared in Iads.h.
-- Mark Schupp -- Head of Development Integrity eLearning Online Learning Solutions Provider mschupp@ielearning.com http://www.ielearning.com 714.637.9480 x17 "Jim" <jmackin@hastings.edu> wrote in message news:OsnTQjfJDHA.3272@tk2msftngp13.phx.gbl... > Mark, > > The Error message I get is: > > error '8007052e' > Logon failure: unknown user name or bad password. > /ldaptest2.asp, line 35 > > Something I have determined. If I put in a line that I hard code the > username and password in like: > > Set lobjUser = dso.OpenDSObject("LDAP://server.domain.edu/DC=domain,DC=edu", > "knownuser", "knownpw", 0) > > If I put in the login name it does not work. If I put in the display > name(Lastname, Firstname) then I can successfully log in. Why? > > What does the number '0' or '1' in the command do? > > Thanks for your help. > > Jim > > > "Mark Schupp" <mschupp@ielearning.com> wrote in message > news:%23H31JKfJDHA.1024@TK2MSFTNGP10.phx.gbl... > > try > > > > Set lobjUser = dso.OpenDSObject(ldapserver, userName, password, 1) > > > > You might also want to check for the specific error meaning that an > invalid > > login name or password was supplied. Here is what I use: > > > > If Err.Number = 0 Then > > > > AuthenticateUser = 0 'authenticated. > > > > ElseIf Err.Number = -2147023570 Then > > '8007052e - LDAP_INVALID_CREDENTIALS - The supplied credential is > invalid. > > ' ERROR_LOGON_FAILURE - Logon failure: unknown user name or bad > > password. > > > > AuthenticateUser = 1 'not authenticated > > > > Else > > > > 'error occurred > > strErrorMsg = Err.Number & ":" & Err.Description > > AuthenticateUser=999 > > > > End If > > > > -- > > Mark Schupp > > -- > > Head of Development > > Integrity eLearning > > Online Learning Solutions Provider > > mschupp@ielearning.com > > http://www.ielearning.com > > 714.637.9480 x17 > > > > > > "Jim" <jmackin@hastings.edu> wrote in message > > news:O0e%23tDeJDHA.1024@TK2MSFTNGP10.phx.gbl... > > > I am trying to create an asp page that will authenticate against AD > using > > > LDAP and vbscript. I have borrowed some code that supposedly works but > I > > am > > > having trouble getting it to work. Can anyone help? I just want to > have > > > users login using this page and a previous one, with a form that does a > > post > > > with logon information. If the username and password are correct then > > > another page will be called if it is incorrect it will take you back to > > the > > > logon page. > > > > > > Below is what I have so far. When I get to the command > > > > > > Set lobjUser = dso.OpenDSObject(ldapserver, userName, password, 0) > > > > > > I get an error saying the username or password is incorrect. Please > help. > > > > > > > > > ____________________________________________________________________________ > > > __ > > > > > > <%@ Language=VBScript %> > > > > > > <% > > > Dim UserName, Password, ldapserver, ldap_path > > > > > > 'Construct the FQDN > > > > > > ldap_path = "LDAP://server.domain.edu/cn=##,DC=domain,DC=edu" > > > > > > 'get the ldap server name into local variable by replacing the > > > special<BR>charcter > > > 'with the username > > > > > > ldapserver = Replace(ldap_path,"##",Request.Form("username")) > > > > > > > > > Response.Write(Request.Form("username") & "<br>") > > > Response.Write(ldapserver & "<br>") > > > > > > ' Connect to the LDAP Directory > > > > > > Set dso = GetObject("LDAP:") > > > > > > 'parse the username from the ldap path > > > > > > userName = Mid(ldapserver, InStr(8, ldapserver, "/") + 1) > > > > > > Response.Write(userName & "<br>") > > > > > > 'get the password > > > > > > Password = Request.Form("Password") > > > > > > 'Validate the User Name and Password > > > > > > Set lobjUser = dso.OpenDSObject(ldapserver, userName, password, 0) > > > > > > 'Response.Write(lobjUser.class) > > > 'Response.Write(err.description) > > > > > > > > > 'exit with error - Incorrect username & password - return to > login.asp > > > page > > > > > > 'If Err.number<>0 Then > > > ' Response.Write "AUTHENTICATION FAILURE!" > > > ' Set lobjUser = nothing > > > ' Set dso = nothing > > > 'Else > > > ' Response.Write "SUCCESS!!" > > > 'End If > > > > > > 'To get information from the LDAP directory you need to know the > > > "attributes" > > > 'available and then you can reference them. Ex: > > > 'strUserName = lobjUser.Get("cn")> > > > %> > > > > > > > > > > > >
- Next message: Jason S: "Re: Cookies can't be deleted"
- Previous message: Seth: "Re: How many certificates"
- In reply to: Jim: "Re: LDAP Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
