We have a requirement to get information from specific users on an LDAP directory based on a Smartcard being presented. The application is already running under an AD user account, but using that users access to LDAP will not have sufficient access to the specific users data.
We have stumbled through a few parts of LDAP APIs and not had much luck finding info on how to make an LDAP bind call without username/password and more specifically with auth from a smartcard. Some of the MS LDAP appears to allow the option of using the current user token.
The best we have come up with is to use the SC to login then while impersonating the user create the ldap connecton using the current user token. Similar in idea to this MDSN blog .
Is there a better way?
The problem we are having with the impersonation is that the logged in user has to have certain rights for logging on other users to do the impersonation. Also while impersonating we need to limit other interactions, accessing the file system or registry as the alternate user is not desirable.