How to authenticate to iPlanet server using LDAPS?

Discussion in 'ASP .Net Security' started by JohnnyO''''Clock@community.nospam, Oct 19, 2005.

  1. JohnnyO''''

    JohnnyO'''' Guest

    I've been trying to build an LDAP provider in ASP.Net 2.0. I know the basic
    steps are to search the directory for user object, grab the full user object
    context and bind to it securely, and then attempt to authenticate by sending
    the username and password. I can't find any documentation on using LDAPS for
    authenticating to a non-microsoft ldap server. Here's a console code snippet
    I've been using which works and enumerates a user's properties:

    using System;
    using System.Collections.Generic;
    using System.Text;
    using System.DirectoryServices;

    namespace iPlanet
    {
    class Program
    {


    static void Main(string[] args)
    {
    string adsPath = "LDAP://ldap.school.edu/dc=school,dc=edu";

    //Explicitly create our SearchRoot
    DirectoryEntry searchRoot = new DirectoryEntry(
    adsPath,
    null,
    null,
    AuthenticationTypes.None
    );
    //AuthenticationTypes.None - works
    //AuthenticationTypes.Anonymous - doesn't work
    //AuthenticationTypes.Secure - doesn't work
    //AuthenticationTypes.SecureSocketsLayer - doesn't work
    //AuthenticationTypes.Encryption - doesn't work
    //AuthenticationTypes.ReadonlyServer - works
    //AuthenticationTypes.ServerBind - works
    //AuthenticationTypes.Signing - works
    //AuthenticationTypes.Sealing - works
    //AuthenticationTypes.FastBind - works
    //AuthenticationTypes.Delegation - works

    using (searchRoot)
    {
    DirectorySearcher ds = new DirectorySearcher(
    searchRoot,
    "(uid=jdoe)" //user being searched for
    );

    using (SearchResultCollection src = ds.FindAll())
    {
    //Console.WriteLine("Returning {0}", src.Count);

    foreach (SearchResult sr in src)
    {
    foreach (string prop in sr.Properties.PropertyNames)
    {
    foreach (object o in sr.Properties[prop])
    {
    Console.WriteLine("{0}: {1}", prop, o);
    }
    }
    }
    }
    }
    }
    }
    }

    The problem I have is when I've tried to bind to the LDAP server. It errors
    out with the message that the server may not be operational. What the correct
    authentication type for an iPlanet ldao server?
     
    JohnnyO'''', Oct 19, 2005
    #1
    1. Advertising

  2. You need to be using AuthenticationTypes.SecureSocketsLayer. If that
    doesn't work, there is probably an issue with the local LDAP client
    accepting the certificate from the server. There are 3 main reasons this
    fail:
    - The DNS name in your binding string doesn't match the DNS name in the
    cert
    - The cert is expired or not yet valid
    - The local client does not trust the server's certificate

    Essentially, these are the same reasons you get a certificate warning dialog
    in IE, except that LDAP always fails on these conditions.

    The System event log may also contain errors from Schannel that tell you
    what the problem was. If not, you can also bump up the logging level:
    http://support.microsoft.com/?id=260729

    Since you are using .NET 2.0 also, you might consider using
    System.DirectoryServices.Protocols for this purpose. It is lower level and
    has the benefit of eliminating all of the ADSI layer from the LDAP calls.

    Joe K.

    <JohnnyO''''> wrote in message
    news:...
    > I've been trying to build an LDAP provider in ASP.Net 2.0. I know the
    > basic
    > steps are to search the directory for user object, grab the full user
    > object
    > context and bind to it securely, and then attempt to authenticate by
    > sending
    > the username and password. I can't find any documentation on using LDAPS
    > for
    > authenticating to a non-microsoft ldap server. Here's a console code
    > snippet
    > I've been using which works and enumerates a user's properties:
    >
    > using System;
    > using System.Collections.Generic;
    > using System.Text;
    > using System.DirectoryServices;
    >
    > namespace iPlanet
    > {
    > class Program
    > {
    >
    >
    > static void Main(string[] args)
    > {
    > string adsPath = "LDAP://ldap.school.edu/dc=school,dc=edu";
    >
    > //Explicitly create our SearchRoot
    > DirectoryEntry searchRoot = new DirectoryEntry(
    > adsPath,
    > null,
    > null,
    > AuthenticationTypes.None
    > );
    > //AuthenticationTypes.None - works
    > //AuthenticationTypes.Anonymous - doesn't work
    > //AuthenticationTypes.Secure - doesn't work
    > //AuthenticationTypes.SecureSocketsLayer - doesn't work
    > //AuthenticationTypes.Encryption - doesn't work
    > //AuthenticationTypes.ReadonlyServer - works
    > //AuthenticationTypes.ServerBind - works
    > //AuthenticationTypes.Signing - works
    > //AuthenticationTypes.Sealing - works
    > //AuthenticationTypes.FastBind - works
    > //AuthenticationTypes.Delegation - works
    >
    > using (searchRoot)
    > {
    > DirectorySearcher ds = new DirectorySearcher(
    > searchRoot,
    > "(uid=jdoe)" //user being searched for
    > );
    >
    > using (SearchResultCollection src = ds.FindAll())
    > {
    > //Console.WriteLine("Returning {0}", src.Count);
    >
    > foreach (SearchResult sr in src)
    > {
    > foreach (string prop in
    > sr.Properties.PropertyNames)
    > {
    > foreach (object o in sr.Properties[prop])
    > {
    > Console.WriteLine("{0}: {1}", prop, o);
    > }
    > }
    > }
    > }
    > }
    > }
    > }
    > }
    >
    > The problem I have is when I've tried to bind to the LDAP server. It
    > errors
    > out with the message that the server may not be operational. What the
    > correct
    > authentication type for an iPlanet ldao server?
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 19, 2005
    #2
    1. Advertising

  3. Do you get any Schannel errors in the System event log on the web server
    when it tries to make the LDAPS connection to iPlanet? Normally, if there
    is a problem with the SSL handshake, it will be reported there.

    Joe K.

    "karampuris" <> wrote in message
    news:...
    >
    > Hi,
    >
    > I am stuck with similar problem that of yours. Let me know if you were
    > able to find a solution.
    >
    > My code in asp.net works fine when using 389 but not with 636.
    > I have installed the certificate and tried.
    >
    > I will be glad if you can help me out.
    >
    > Sushil
    >
    > JohnnyO'''' wrote:
    >> *I've been trying to build an LDAP provider in ASP.Net 2.0. I know
    >> the basic
    >> steps are to search the directory for user object, grab the full user
    >> object
    >> context and bind to it securely, and then attempt to authenticate by
    >> sending
    >> the username and password. I can't find any documentation on using
    >> LDAPS for
    >> authenticating to a non-microsoft ldap server. Here's a console code
    >> snippet
    >> I've been using which works and enumerates a user's properties:
    >>
    >> using System;
    >> using System.Collections.Generic;
    >> using System.Text;
    >> using System.DirectoryServices;
    >>
    >> namespace iPlanet
    >> {
    >> class Program
    >> {
    >>
    >>
    >> static void Main(string[] args)
    >> {
    >> string adsPath = "LDAP://ldap.school.edu/dc=school,dc=edu";
    >>
    >> //Explicitly create our SearchRoot
    >> DirectoryEntry searchRoot = new DirectoryEntry(
    >> adsPath,
    >> null,
    >> null,
    >> AuthenticationTypes.None
    >> );
    >> //AuthenticationTypes.None - works
    >> //AuthenticationTypes.Anonymous - doesn't work
    >> //AuthenticationTypes.Secure - doesn't work
    >> //AuthenticationTypes.SecureSocketsLayer - doesn't work
    >> //AuthenticationTypes.Encryption - doesn't work
    >> //AuthenticationTypes.ReadonlyServer - works
    >> //AuthenticationTypes.ServerBind - works
    >> //AuthenticationTypes.Signing - works
    >> //AuthenticationTypes.Sealing - works
    >> //AuthenticationTypes.FastBind - works
    >> //AuthenticationTypes.Delegation - works
    >>
    >> using (searchRoot)
    >> {
    >> DirectorySearcher ds = new DirectorySearcher(
    >> searchRoot,
    >> "(uid=jdoe)" //user being searched for
    >> );
    >>
    >> using (SearchResultCollection src = ds.FindAll())
    >> {
    >> //Console.WriteLine("Returning {0}", src.Count);
    >>
    >> foreach (SearchResult sr in src)
    >> {
    >> foreach (string prop in sr.Properties.PropertyNames)
    >> {
    >> foreach (object o in sr.Properties[prop])
    >> {
    >> Console.WriteLine("{0}: {1}", prop, o);
    >> }
    >> }
    >> }
    >> }
    >> }
    >> }
    >> }
    >> }
    >>
    >> The problem I have is when I've tried to bind to the LDAP server. It
    >> errors
    >> out with the message that the server may not be operational. What the
    >> correct
    >> authentication type for an iPlanet ldao server? *

    >
    >
    >
    > --
    > karampuris
    > ------------------------------------------------------------------------
    > Posted via http://www.codecomments.com
    > ------------------------------------------------------------------------
    >
     
    Joe Kaplan \(MVP - ADSI\), May 8, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QXJ1bmFjaGFsYW0uUw==?=

    webclasses in iplanet

    =?Utf-8?B?QXJ1bmFjaGFsYW0uUw==?=, Jan 28, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    385
    Ken Cox [Microsoft MVP]
    Jan 28, 2005
  2. =?Utf-8?B?Q3JhaWc=?=

    important: Trying to coordinate iPlanet with IIS

    =?Utf-8?B?Q3JhaWc=?=, Sep 2, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    459
    Bruce Barker
    Sep 2, 2005
  3. Paul Symes
    Replies:
    0
    Views:
    922
    Paul Symes
    Jun 30, 2003
  4. Newcomer
    Replies:
    0
    Views:
    553
    Newcomer
    Jul 10, 2003
  5. Peña, Botp
    Replies:
    0
    Views:
    110
    Peña, Botp
    Mar 31, 2006
Loading...

Share This Page