0

I need some help, I am making a role based menu. I'm using LDAP Active Directory to log In.

I can log in but I cannot get the roles from the groups of AD.

I try to use a role provider but cant get it to work. I get the groups using:

private ArrayList setRoles()
{
    ArrayList rolesList = new ArrayList();
    DirectoryEntry de = new DirectoryEntry("LDAP://**********");
    DirectorySearcher ds = new DirectorySearcher(de);
    ds.PropertiesToLoad.Add("memberOf");
    ds.SearchScope = SearchScope.Subtree;
    ds.Filter = "(sAMAccountName=test)"; // your username

    SearchResult result = ds.FindOne();

    foreach (string g in result.Properties["memberOf"])
        rolesList.Add(g);
    return rolesList;
}

Now, I need to "set" the roles somewhere in order to use

User.IsInRole("Admin")

and 

[Authorize role...]
public bla bla bla()

Any ideas, links, etc?

PD: IM USING FORMS AUTH.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
EricGS
  • 1,323
  • 2
  • 17
  • 42

2 Answers2

2

You shouldn't have to manually do this. Using the built in role provider should accomplish the task by setting it in the web.config.

Active Directory Membership Provider

Windows Token Role Provider

UPDATE: Here's a question on StackOverflow that covers setting this up with an ActiveDirectory membership provider but still using Forms Authentication.

ASP.NET MVC - Authenticate users against Active Directory, but require username and password to be inputted

Community
  • 1
  • 1
Nick Albrecht
  • 16,607
  • 10
  • 66
  • 101
  • ups, I forgot to say I'm authenticating with forms, so win token Role P will not work? – EricGS Feb 28 '13 at 10:37
  • You can still use the Active Directory Membership Provider and use Forms Authentication to actually obtain the user credentials. You just have to validate them in your controller action with `Membership.ValidateUser(username, password)` Here's a question on StackOverflow that covers this. http://stackoverflow.com/questions/6147864/asp-net-mvc-authenticate-users-against-active-directory-but-require-username – Nick Albrecht Feb 28 '13 at 16:47
1

I do not have experience working with AD, however, what you need to do is set the User property of HttpContext with a Principal that has the roles.

An approach I have previously created was to create a custom authorization attribute that inherits from AuthorizationAttribute.

public class AuthorizeActiveDirectoryAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        var user = filterContext.HttpContext.User;

        //Your code to get the list of roles for the current user

        var formsIdentity = filterContext.HttpContext.User.Identity as FormsIdentity;
        filterContext.HttpContext.User = new System.Security.Principal.GenericPrincipal(formsIdentity, rolesList.ToArray());

        base.OnAuthorization(filterContext);
    }

}

You would then apply it to your action methods

[AuthorizeActiveDirectory role...]
public bla bla bla()

This will also allow you to use User.IsInRole("Admin")

Andy T
  • 10,223
  • 5
  • 53
  • 95
  • it works perfect but... if i only want to retrive the groups/roles 1 time (login function)??? then use them en the authorizeDA? pd: tks XD – EricGS Feb 28 '13 at 17:14
  • Then in the login page, you would need to set a cookie with the roles and read the roles on each request. This is essentially how membership provider and roles provider works: You will need to recreate the HttpContext.User on _EACH_ request. – Andy T Feb 28 '13 at 18:49
  • ok, I guess roles can be stored on session??? and check if they exist to retrieve on OnAuthorization() – EricGS Feb 28 '13 at 19:25
  • Yes they can. Then on the OnAuthorization() you would get them and use that to create the GenericPrincipal. – Andy T Feb 28 '13 at 19:30