tags:

views:

67

answers:

1
+1  Q: 

Active directory and LDAP libraries

I am trying to authenticate users to active directory with the Novell.Directory.Ldap libraries found in Mono. I know there is better ways than below, but given that I'm confined to Mono, these are the only supported routines as best I can see.

Using the .NET libraries, I can authenticate a user with their samAccountName. 

using (DirectoryEntry de = new DirectoryEntry())
                {
                    de.Username = username;
                    de.Password = password;
                    de.Path = string.Format("LDAP://{0}/{1}", ADHostname, DefaultNamingContext);
                    de.AuthenticationType = AuthenticationTypes.Secure;

                    using (DirectorySearcher deSearch = new DirectorySearcher())
                    {
                        deSearch.SearchRoot = de;
                        deSearch.PropertiesToLoad.Add("cn");
                        deSearch.Filter = "(&(objectCatagory=person))";

                        deSearch.FindOne();
                    }
                }

but this fails with invalid credentials if it's running inside mono. The only way to make it work is by specifying the UPN for username:

de.Username = "[email protected]";

The problem is, UPN is not a required attribute for AD. So how can I authenticate a user with just their username?

I see a post about one way to do it: http://stackoverflow.com/questions/546438/authenticating-user-using-ldap-from-php

But, it's a chicken and egg problem. How do I bind to search for the users DN so I can bind, if I can't bind as an authenticated user to begin with.

Thank you for any help you can give.

A: 

Usually you get an account for your application to allow the search for other user DN's. Traditionally this was done using an anonymous bind, but nowadays that is usually blocked for security reasons.

Therefore get a service account with a known DN and password. Bind as that service account, do your search, then bind as the users DN that you found via the search.

geoffc  2010-08-22 22:03:34
That makes sense. I was trying to do this with the least admin involvement as possible, but I suppose requiring the full DN for the service account isn't a big deal. Thanks.
R.Davis  2010-08-22 23:57:45

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?