0

I need to pass LDAP credentials to a web-service to authenticate in C#.

I've got everything setup to get the user using DirectoryEntry, however, for obvious reasons I can't get the password.

I authenticate to a third-party web service in C# by passing the username/password like: j_username=me%40domain.com&j_password=mypassword%21

I know getting the LDAP password is impossible but is there a better way to go about what I'm doing?

amcdnl
  • 8,470
  • 12
  • 63
  • 99

2 Answers2

0

I would say that your question is not quite clear. You say that you cannot get the password, but you are passing a password, then we are not talking about the same password, is it the LDAP admin password that you are talking about? But what is the issue? Please Provide more info. I will go adventurous and tell you that, if you have an application Server for your app, you can also configure access to LDAP directory, from the server, so you can authenticate against the App Server instead of LDAP service directly. Does it helps? Please Provide more info.

gral.pancho.villa
  • 306
  • 2
  • 7
  • Basically I need to get the users password from LDAP to pass it to my third-party service. Does that help? – amcdnl Sep 12 '13 at 18:43
  • Well, then the LDAP directory Administrator must allow you to get that data to proceed. I suggest you to ask for clearance in the first place. Think about it, if any App were able to retrieve passwords from all Users in an LDAP Directory, that would be a security breach. Do not you think? Do some inside research with your peers before to clarify the requirement. – gral.pancho.villa Sep 12 '13 at 19:33
0

You can retrieve a users password from Active Directory, but it requires a special setting to be enabled on the server itself, and is generally looked down upon in terms of secure practices.

You're better off supplying the user a simple form in a which they can enter both their username and password, and then send the bind request to the directory server. Granted, while it looks like your current implementation via the web service works, I would take a slightly different approach depending on who's going to be using the application :

  • If this is an internal application within your organization, you can force a network login through IIS, which would negate the need for the web service. You can check this link here for a general overview, or this one for a more detailed explanation with code examples.

  • If this application is an externally available, you have a lot of options in terms of authorizing users against Active Directory - however, you'll still need that form with the username and password fields. I've written a few answers on this topic (in C#), and the code itself is centered around the System.DirectoryServices namespace. There is an example on this thread, and also on this one as well.

I hope that helps - but feel free to message me if you have any other questions.

Community
  • 1
  • 1
X3074861X
  • 3,709
  • 5
  • 32
  • 45