0

I am new to LDAP related coding and today I am asked to develop a code to check the users authentication against LDAP.

The tutorials I have found online are so simple but our company's Directory is so complicated that I don't know how to write a code for that. Here is the info of the LDAP . I have changed the company name to hide the name.

string domain = "ou=People,dc=my,dc=com";
string LDAP_Path= "dc01.my.com;
string LDAPconnect= "LDAP://dc01.my.com/";

Here is a code I have developed but it gives me error when run " LdapResult = LdapSearcher.FindOne();":

    string domain = "ou=People,dc=my,dc=com";
    string password = "";
    string userName = "";

    // define your connection
    LdapConnection ldapConnection = new LdapConnection(LDAP_Path);

    try
    {
        // authenticate the username and password
        using (ldapConnection)
        {
            // pass in the network creds, and the domain.
            var networkCredential = new NetworkCredential(userName, password, domain);

            // if we're using unsecured port 389, set to false. If using port 636, set this to true.
            ldapConnection.SessionOptions.SecureSocketLayer = false;

            // since this is an internal application, just accept the certificate either way
            ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };

            // to force NTLM\Kerberos use AuthType.Negotiate, for non-TLS and unsecured, just use AuthType.Basic
            ldapConnection.AuthType = AuthType.Basic;

            // authenticate the user
            ldapConnection.Bind(networkCredential);
            Response.Write( "connect ldap success");
        }
    }
    catch (LdapException ldapException)
    {
        Response.Write(ldapException + " <p>Ad connect failed</p>");
        //Authentication failed, exception will dictate why
    }
    string strTmp0 = LDAPconnect + domain;
    string user = "memberId";
    string pwd = "memberPwd";
    System.DirectoryServices.DirectoryEntry LdapEntry = new System.DirectoryServices.DirectoryEntry(strTmp0, "cn=" + user, pwd, AuthenticationTypes.None);
    DirectorySearcher LdapSearcher = new DirectorySearcher(LdapEntry);
    LdapSearcher.Filter = "(cn=" + user + ")";
    string value = string.Empty;
    SearchResult LdapResult=null;
    try
    {
         LdapResult = LdapSearcher.FindOne();
     
    }
    catch (Exception ex)
    {
        Response.Write(ex.Message.ToString());
 // .............get Error msg : username an password  uncorrect

    }
    if ((LdapResult != null))
    {
        Response.Write("ldapresult not null");
    }

Could anybody help plz?

georgetovrea
  • 537
  • 1
  • 8
  • 28
  • what error are you facing? – Always_a_learner Jul 06 '20 at 03:50
  • it gives me error msg "username an password uncorrect" when run " LdapResult = LdapSearcher.FindOne();": – georgetovrea Jul 06 '20 at 03:56
  • string LDAPconnect= "LDAP://dc01.my.com"/"; is it correct i mean escape character? – Always_a_learner Jul 06 '20 at 04:07
  • @Always_a_learner I have modified it to "string LDAPconnect= "LDAP://dc01.my.com/"; " , still get the same error – georgetovrea Jul 06 '20 at 04:17
  • let me share you a fresh approach to validate user with email..i hope it will work validating user by email? – Always_a_learner Jul 06 '20 at 04:24
  • @Always_a_learner "LDAP://dc01.my.com" that looks like only the server name. Chekc [How can I figure out my ldap connection string](https://serverfault.com/questions/130543/how-can-i-figure-out-my-ldap-connection-string). A connection string similar to `LDAP://ou=Users,dc=example,dc=org` works for me (no need to add the domain controller to the connection string because machine is already in the domain) – Cleptus Jul 06 '20 at 06:39
  • @Always_a_learner That sample only checks the email exists in the LDAP, it does not authenticate. – Cleptus Jul 06 '20 at 06:53
  • Is that the only information the exception gives you? `LdapConnection` should give you more info, which should tell you why the credentials were rejected. See [this answer](https://stackoverflow.com/a/11033489/1202807) for more details. – Gabriel Luci Jul 06 '20 at 14:04

2 Answers2

0

In ldap connection setting , OP should use own configuration.

        // Ldap connection setting. this should setup according to organization ldap configuration 
        int portnumber = 12345;
        LdapConnection ldapConnection = new LdapConnection(new LdapDirectoryIdentifier("ldap.testxxxx.com", portnumber));
        ldapConnection.AuthType = AuthType.Anonymous;
        ldapConnection.Bind();

        SearchRequest Srchrequest = null;
        SearchResponse SrchResponse = null;
        SearchResultEntryCollection SearchCollection = null;

        Hashtable UserDetails = new Hashtable();
        
        Srchrequest = new SearchRequest("distniguishged name e.g. o=testxxx.com", string.Format(CultureInfo.InvariantCulture, "preferredmail=test@testxxxx.com"), System.DirectoryServices.Protocols.SearchScope.Subtree);
        SrchResponse = (SearchResponse)ldapConnection.SendRequest(Srchrequest);
        SearchCollection = SrchResponse.Entries;

        foreach (SearchResultEntry entry in SearchCollection)
        {
            foreach (DictionaryEntry att in entry.Attributes)
            {
                if (((DirectoryAttribute)(att.Value)).Count > 0)
                {
                    UserDetails.Add(att.Key.ToString(), ((DirectoryAttribute)(att.Value))[0].ToString());
                }
                else
                {
                    UserDetails.Add(att.Key.ToString(), string.Empty);
                }
            }
        }

        if (UserDetails.Count > 1)
        {
            Console.WriteLine("User exists");
        }
        else
        {
            Console.WriteLine("User does not exist");
        }
Always_a_learner
  • 1,254
  • 1
  • 8
  • 16
  • OP is trying to check user credentials connecting to the LDAP, your code does an anonymous LDAP query. Your code is useful in some scenarios, but probably is not what OP needs. – Cleptus Jul 06 '20 at 06:23
0

You can use the DirectoryInfo conrstructor that has user and password arguments. That way, you don't need to do a query to the LDAP, you can simplify your code.

string username = "frederic";
string password = "myFanciPassword99";

string domain = "ou=People,dc=my,dc=com";
string LDAPconnect= "LDAP://dc01.my.com/";

string connectionString = LDAPconnect + domain;

bool userValid = false;

// Note: DirectoryEntry(domain, username, password) would also work
DirectoryEntry entry = new DirectoryEntry(connectionString, username, password);
try
{
    // Bind to the native AdsObject to force authentication.
    Object obj = entry.NativeObject;
    userValid = true;
}
catch (Exception ex)
{
}
Cleptus
  • 3,446
  • 4
  • 28
  • 34