LDAP and SASL

Discussion in 'ASP .Net Security' started by Amar, Dec 28, 2005.

  1. Amar

    Amar Guest

    I am a newbie with enterprise directories. I am trying to write an ASP.NET
    application to fetch some data from my university LDAP enterprise directory.
    There are 2 types of access allowed to the LDAP server. One is a anonymous
    access and another is the access that exists mainly to give privileged
    accounts access to person information that can otherwise not be publicly
    viewed. These privileged accounts, called Y Services, are primarily used to
    look up person data and authorize people on this data.

    Now, i was able to use the anonymous access priviliges and view the data
    from LDAP server. What i want to do is to use the Y services and view the
    person information that cannot be accessed via the anonymous access. For
    example i want to view the date of birth for the person which is available in
    the Y Services access.

    The university instructions say the following:

    What you see in Y Services is dependent on how you bind (anonymous, simple,
    SASL EXTERNAL) and the amount of privileges the bound user has. Connecting to
    Y Services requires the use of TLS client certificate authentication, meaning
    you must have a signed certificate from the uiniversity in order to connect.
    Users bound anonymously can only search on ID and can only see the DN
    (distinguished name) of any user. Users that have performed a SASL EXTERNAL
    bind can only see those attributes they have been approved to see (for all
    users), and only if the corresponding service is ACTIVE.

    Now, i know that the TLS client certificate has been installed on my server
    by my Sys admin. Please tell me the steps to do the bind and fetch the date
    of birth for all people in department X.

    Here is the anonymous bind code.

    Dim deLdapConn As DirectoryEntry = New
    DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")

    Dim searcherLdap As New DirectorySearcher(deLdapConn)

    Dim Results As SearchResultCollection

    Dim propcoll As ResultPropertyCollection

    Dim Result As SearchResult

    Dim strKey As String

    Dim obProp As Object

    iNumProperties = 0



    Try

    searcherLdap.Filter = "(department=X)"

    searcherLdap.PropertiesToLoad.Add("sn")

    searcherLdap.PropertiesToLoad.Add("givenname")

    searcherLdap.PropertiesToLoad.Add("telephonenumber")

    searcherLdap.PropertiesToLoad.Add("uupid")

    Results = searcherLdap.FindAll

    iNumProperties = Results.Count()

    ReDim arrFName(iNumProperties - 1)

    ReDim arrLName(iNumProperties - 1)

    ReDim arrPhone(iNumProperties - 1)

    ReDim arrEmail(iNumProperties - 1)

    ReDim arrDob(iNumProperties - 1)

    iNumProperties = 0 ' Sets the start index for arrays

    For Each Result In Results ' Starts the loop where result stores 1 record
    and resultS stores all records

    propcoll = Result.Properties ' Gets the all the properties (fieldnames) for
    that record

    For Each strKey In propcoll.PropertyNames ' Loop through each field name for
    the selected record

    iOnce = 0

    For Each obProp In propcoll(strKey)

    If strKey = "givenname" Then

    arrFName(iNumProperties) = obProp

    End If

    If strKey = "sn" Then

    arrLName(iNumProperties) = obProp


    End If

    If strKey = "telephonenumber" Then


    arrPhone(iNumProperties) = obProp

    End If

    If strKey = "uupid" Then

    arrEmail(iNumProperties) = obProp

    End If

    Next

    Next

    iNumProperties = iNumProperties + 1

    Next

    searcherLdap.Dispose()

    searcherLdap = Nothing

    deLdapConn.Close()

    deLdapConn = Nothing

    Catch Ex As Exception

    Response.Write(Ex.ToString)

    End Try



    Please help me!! THANKS IN ADVANCE!!
    Amar, Dec 28, 2005
    #1
    1. Advertising

  2. Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
    ADSI and the LDAP API will happily try to supply a client cert during the
    LDAP SSL handshake if one is available and configured correctly.

    Joe K.
    "Amar" <> wrote in message
    news:...
    >I am a newbie with enterprise directories. I am trying to write an ASP.NET
    > application to fetch some data from my university LDAP enterprise
    > directory.
    > There are 2 types of access allowed to the LDAP server. One is a anonymous
    > access and another is the access that exists mainly to give privileged
    > accounts access to person information that can otherwise not be publicly
    > viewed. These privileged accounts, called Y Services, are primarily used
    > to
    > look up person data and authorize people on this data.
    >
    > Now, i was able to use the anonymous access priviliges and view the data
    > from LDAP server. What i want to do is to use the Y services and view the
    > person information that cannot be accessed via the anonymous access. For
    > example i want to view the date of birth for the person which is available
    > in
    > the Y Services access.
    >
    > The university instructions say the following:
    >
    > What you see in Y Services is dependent on how you bind (anonymous,
    > simple,
    > SASL EXTERNAL) and the amount of privileges the bound user has. Connecting
    > to
    > Y Services requires the use of TLS client certificate authentication,
    > meaning
    > you must have a signed certificate from the uiniversity in order to
    > connect.
    > Users bound anonymously can only search on ID and can only see the DN
    > (distinguished name) of any user. Users that have performed a SASL
    > EXTERNAL
    > bind can only see those attributes they have been approved to see (for all
    > users), and only if the corresponding service is ACTIVE.
    >
    > Now, i know that the TLS client certificate has been installed on my
    > server
    > by my Sys admin. Please tell me the steps to do the bind and fetch the
    > date
    > of birth for all people in department X.
    >
    > Here is the anonymous bind code.
    >
    > Dim deLdapConn As DirectoryEntry = New
    > DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")
    >
    > Dim searcherLdap As New DirectorySearcher(deLdapConn)
    >
    > Dim Results As SearchResultCollection
    >
    > Dim propcoll As ResultPropertyCollection
    >
    > Dim Result As SearchResult
    >
    > Dim strKey As String
    >
    > Dim obProp As Object
    >
    > iNumProperties = 0
    >
    >
    >
    > Try
    >
    > searcherLdap.Filter = "(department=X)"
    >
    > searcherLdap.PropertiesToLoad.Add("sn")
    >
    > searcherLdap.PropertiesToLoad.Add("givenname")
    >
    > searcherLdap.PropertiesToLoad.Add("telephonenumber")
    >
    > searcherLdap.PropertiesToLoad.Add("uupid")
    >
    > Results = searcherLdap.FindAll
    >
    > iNumProperties = Results.Count()
    >
    > ReDim arrFName(iNumProperties - 1)
    >
    > ReDim arrLName(iNumProperties - 1)
    >
    > ReDim arrPhone(iNumProperties - 1)
    >
    > ReDim arrEmail(iNumProperties - 1)
    >
    > ReDim arrDob(iNumProperties - 1)
    >
    > iNumProperties = 0 ' Sets the start index for arrays
    >
    > For Each Result In Results ' Starts the loop where result stores 1 record
    > and resultS stores all records
    >
    > propcoll = Result.Properties ' Gets the all the properties (fieldnames)
    > for
    > that record
    >
    > For Each strKey In propcoll.PropertyNames ' Loop through each field name
    > for
    > the selected record
    >
    > iOnce = 0
    >
    > For Each obProp In propcoll(strKey)
    >
    > If strKey = "givenname" Then
    >
    > arrFName(iNumProperties) = obProp
    >
    > End If
    >
    > If strKey = "sn" Then
    >
    > arrLName(iNumProperties) = obProp
    >
    >
    > End If
    >
    > If strKey = "telephonenumber" Then
    >
    >
    > arrPhone(iNumProperties) = obProp
    >
    > End If
    >
    > If strKey = "uupid" Then
    >
    > arrEmail(iNumProperties) = obProp
    >
    > End If
    >
    > Next
    >
    > Next
    >
    > iNumProperties = iNumProperties + 1
    >
    > Next
    >
    > searcherLdap.Dispose()
    >
    > searcherLdap = Nothing
    >
    > deLdapConn.Close()
    >
    > deLdapConn = Nothing
    >
    > Catch Ex As Exception
    >
    > Response.Write(Ex.ToString)
    >
    > End Try
    >
    >
    >
    > Please help me!! THANKS IN ADVANCE!!
    >
    >
    Joe Kaplan \(MVP - ADSI\), Dec 29, 2005
    #2
    1. Advertising

  3. Amar

    Amar Guest

    Thanks Joe. I did try specifying the authentication types. But when i read
    your reply, i do have reason to believe that there is some problem with the
    client cert. Can you please tell us the steps to make our website use the
    client certificate. Let me give you a brief status.
    My system administrator requested 2 certificates from the university central
    computing resources. One was a SSL server certificate and another was a
    client certificate which was provided by the group that handles the
    enterprise directory on campus.
    My sys admin installed both those certificates on the webserver. When we run
    the Certificates.msc console, we can see both the certificates listed under
    the folder listing Certificates-Personal-Certificates-Both present here.
    Now how do i make my website make use of these certificates? Do i have to
    make some special changes to my website on IIS? I use IIS6.0 on windows 2003
    server and use my laptop with VS.NET 2003 to work remotely on the server.
    Thank you so much Joe. Really appreciate your help.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
    > ADSI and the LDAP API will happily try to supply a client cert during the
    > LDAP SSL handshake if one is available and configured correctly.
    >
    > Joe K.
    > "Amar" <> wrote in message
    > news:...
    > >I am a newbie with enterprise directories. I am trying to write an ASP.NET
    > > application to fetch some data from my university LDAP enterprise
    > > directory.
    > > There are 2 types of access allowed to the LDAP server. One is a anonymous
    > > access and another is the access that exists mainly to give privileged
    > > accounts access to person information that can otherwise not be publicly
    > > viewed. These privileged accounts, called Y Services, are primarily used
    > > to
    > > look up person data and authorize people on this data.
    > >
    > > Now, i was able to use the anonymous access priviliges and view the data
    > > from LDAP server. What i want to do is to use the Y services and view the
    > > person information that cannot be accessed via the anonymous access. For
    > > example i want to view the date of birth for the person which is available
    > > in
    > > the Y Services access.
    > >
    > > The university instructions say the following:
    > >
    > > What you see in Y Services is dependent on how you bind (anonymous,
    > > simple,
    > > SASL EXTERNAL) and the amount of privileges the bound user has. Connecting
    > > to
    > > Y Services requires the use of TLS client certificate authentication,
    > > meaning
    > > you must have a signed certificate from the uiniversity in order to
    > > connect.
    > > Users bound anonymously can only search on ID and can only see the DN
    > > (distinguished name) of any user. Users that have performed a SASL
    > > EXTERNAL
    > > bind can only see those attributes they have been approved to see (for all
    > > users), and only if the corresponding service is ACTIVE.
    > >
    > > Now, i know that the TLS client certificate has been installed on my
    > > server
    > > by my Sys admin. Please tell me the steps to do the bind and fetch the
    > > date
    > > of birth for all people in department X.
    > >
    > > Here is the anonymous bind code.
    > >
    > > Dim deLdapConn As DirectoryEntry = New
    > > DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")
    > >
    > > Dim searcherLdap As New DirectorySearcher(deLdapConn)
    > >
    > > Dim Results As SearchResultCollection
    > >
    > > Dim propcoll As ResultPropertyCollection
    > >
    > > Dim Result As SearchResult
    > >
    > > Dim strKey As String
    > >
    > > Dim obProp As Object
    > >
    > > iNumProperties = 0
    > >
    > >
    > >
    > > Try
    > >
    > > searcherLdap.Filter = "(department=X)"
    > >
    > > searcherLdap.PropertiesToLoad.Add("sn")
    > >
    > > searcherLdap.PropertiesToLoad.Add("givenname")
    > >
    > > searcherLdap.PropertiesToLoad.Add("telephonenumber")
    > >
    > > searcherLdap.PropertiesToLoad.Add("uupid")
    > >
    > > Results = searcherLdap.FindAll
    > >
    > > iNumProperties = Results.Count()
    > >
    > > ReDim arrFName(iNumProperties - 1)
    > >
    > > ReDim arrLName(iNumProperties - 1)
    > >
    > > ReDim arrPhone(iNumProperties - 1)
    > >
    > > ReDim arrEmail(iNumProperties - 1)
    > >
    > > ReDim arrDob(iNumProperties - 1)
    > >
    > > iNumProperties = 0 ' Sets the start index for arrays
    > >
    > > For Each Result In Results ' Starts the loop where result stores 1 record
    > > and resultS stores all records
    > >
    > > propcoll = Result.Properties ' Gets the all the properties (fieldnames)
    > > for
    > > that record
    > >
    > > For Each strKey In propcoll.PropertyNames ' Loop through each field name
    > > for
    > > the selected record
    > >
    > > iOnce = 0
    > >
    > > For Each obProp In propcoll(strKey)
    > >
    > > If strKey = "givenname" Then
    > >
    > > arrFName(iNumProperties) = obProp
    > >
    > > End If
    > >
    > > If strKey = "sn" Then
    > >
    > > arrLName(iNumProperties) = obProp
    > >
    > >
    > > End If
    > >
    > > If strKey = "telephonenumber" Then
    > >
    > >
    > > arrPhone(iNumProperties) = obProp
    > >
    > > End If
    > >
    > > If strKey = "uupid" Then
    > >
    > > arrEmail(iNumProperties) = obProp
    > >
    > > End If
    > >
    > > Next
    > >
    > > Next
    > >
    > > iNumProperties = iNumProperties + 1
    > >
    > > Next
    > >
    > > searcherLdap.Dispose()
    > >
    > > searcherLdap = Nothing
    > >
    > > deLdapConn.Close()
    > >
    > > deLdapConn = Nothing
    > >
    > > Catch Ex As Exception
    > >
    > > Response.Write(Ex.ToString)
    > >
    > > End Try
    > >
    > >
    > >
    > > Please help me!! THANKS IN ADVANCE!!
    > >
    > >

    >
    >
    >
    Amar, Dec 29, 2005
    #3
  4. Getting client certficates to work under ASP.NET is a bit of PITA because
    the private key for the cert is usually stored in the user's profile and
    that won't be loaded in the context of ASP.NET. The private key needs to be
    installed in the machine store instead.

    What I would suggest doing would be to export the certificate and private
    key from your personal store and make sure it is installed in the machine
    store.

    Then, the next thing to do is to make sure that the account that is being
    used to execute the request has permissions on the private key. This is
    much trickier part as there are many different options for what that account
    might be depending on how you have configured the web app. You can find out
    the identity of the current thread with
    System.Security.Principal.WindowsIdentity.GetCurrent().Name.

    I think it would be best to try to make sure you can get the LDAP client
    certificate thing working in a console app first before trying to move it
    into an ASP.NET context though. There is no telling whether that part alone
    will work correctly. Hopefully there won't be an issue, but you want to try
    to isolate that from the web app while that is still an unknown.

    Joe K.

    "Amar" <> wrote in message
    news:...
    > Thanks Joe. I did try specifying the authentication types. But when i read
    > your reply, i do have reason to believe that there is some problem with
    > the
    > client cert. Can you please tell us the steps to make our website use the
    > client certificate. Let me give you a brief status.
    > My system administrator requested 2 certificates from the university
    > central
    > computing resources. One was a SSL server certificate and another was a
    > client certificate which was provided by the group that handles the
    > enterprise directory on campus.
    > My sys admin installed both those certificates on the webserver. When we
    > run
    > the Certificates.msc console, we can see both the certificates listed
    > under
    > the folder listing Certificates-Personal-Certificates-Both present here.
    > Now how do i make my website make use of these certificates? Do i have to
    > make some special changes to my website on IIS? I use IIS6.0 on windows
    > 2003
    > server and use my laptop with VS.NET 2003 to work remotely on the server.
    > Thank you so much Joe. Really appreciate your help.
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
    >> ADSI and the LDAP API will happily try to supply a client cert during the
    >> LDAP SSL handshake if one is available and configured correctly.
    >>
    >> Joe K.
    >> "Amar" <> wrote in message
    >> news:...
    >> >I am a newbie with enterprise directories. I am trying to write an
    >> >ASP.NET
    >> > application to fetch some data from my university LDAP enterprise
    >> > directory.
    >> > There are 2 types of access allowed to the LDAP server. One is a
    >> > anonymous
    >> > access and another is the access that exists mainly to give privileged
    >> > accounts access to person information that can otherwise not be
    >> > publicly
    >> > viewed. These privileged accounts, called Y Services, are primarily
    >> > used
    >> > to
    >> > look up person data and authorize people on this data.
    >> >
    >> > Now, i was able to use the anonymous access priviliges and view the
    >> > data
    >> > from LDAP server. What i want to do is to use the Y services and view
    >> > the
    >> > person information that cannot be accessed via the anonymous access.
    >> > For
    >> > example i want to view the date of birth for the person which is
    >> > available
    >> > in
    >> > the Y Services access.
    >> >
    >> > The university instructions say the following:
    >> >
    >> > What you see in Y Services is dependent on how you bind (anonymous,
    >> > simple,
    >> > SASL EXTERNAL) and the amount of privileges the bound user has.
    >> > Connecting
    >> > to
    >> > Y Services requires the use of TLS client certificate authentication,
    >> > meaning
    >> > you must have a signed certificate from the uiniversity in order to
    >> > connect.
    >> > Users bound anonymously can only search on ID and can only see the DN
    >> > (distinguished name) of any user. Users that have performed a SASL
    >> > EXTERNAL
    >> > bind can only see those attributes they have been approved to see (for
    >> > all
    >> > users), and only if the corresponding service is ACTIVE.
    >> >
    >> > Now, i know that the TLS client certificate has been installed on my
    >> > server
    >> > by my Sys admin. Please tell me the steps to do the bind and fetch the
    >> > date
    >> > of birth for all people in department X.
    >> >
    >> > Here is the anonymous bind code.
    >> >
    >> > Dim deLdapConn As DirectoryEntry = New
    >> > DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")
    >> >
    >> > Dim searcherLdap As New DirectorySearcher(deLdapConn)
    >> >
    >> > Dim Results As SearchResultCollection
    >> >
    >> > Dim propcoll As ResultPropertyCollection
    >> >
    >> > Dim Result As SearchResult
    >> >
    >> > Dim strKey As String
    >> >
    >> > Dim obProp As Object
    >> >
    >> > iNumProperties = 0
    >> >
    >> >
    >> >
    >> > Try
    >> >
    >> > searcherLdap.Filter = "(department=X)"
    >> >
    >> > searcherLdap.PropertiesToLoad.Add("sn")
    >> >
    >> > searcherLdap.PropertiesToLoad.Add("givenname")
    >> >
    >> > searcherLdap.PropertiesToLoad.Add("telephonenumber")
    >> >
    >> > searcherLdap.PropertiesToLoad.Add("uupid")
    >> >
    >> > Results = searcherLdap.FindAll
    >> >
    >> > iNumProperties = Results.Count()
    >> >
    >> > ReDim arrFName(iNumProperties - 1)
    >> >
    >> > ReDim arrLName(iNumProperties - 1)
    >> >
    >> > ReDim arrPhone(iNumProperties - 1)
    >> >
    >> > ReDim arrEmail(iNumProperties - 1)
    >> >
    >> > ReDim arrDob(iNumProperties - 1)
    >> >
    >> > iNumProperties = 0 ' Sets the start index for arrays
    >> >
    >> > For Each Result In Results ' Starts the loop where result stores 1
    >> > record
    >> > and resultS stores all records
    >> >
    >> > propcoll = Result.Properties ' Gets the all the properties (fieldnames)
    >> > for
    >> > that record
    >> >
    >> > For Each strKey In propcoll.PropertyNames ' Loop through each field
    >> > name
    >> > for
    >> > the selected record
    >> >
    >> > iOnce = 0
    >> >
    >> > For Each obProp In propcoll(strKey)
    >> >
    >> > If strKey = "givenname" Then
    >> >
    >> > arrFName(iNumProperties) = obProp
    >> >
    >> > End If
    >> >
    >> > If strKey = "sn" Then
    >> >
    >> > arrLName(iNumProperties) = obProp
    >> >
    >> >
    >> > End If
    >> >
    >> > If strKey = "telephonenumber" Then
    >> >
    >> >
    >> > arrPhone(iNumProperties) = obProp
    >> >
    >> > End If
    >> >
    >> > If strKey = "uupid" Then
    >> >
    >> > arrEmail(iNumProperties) = obProp
    >> >
    >> > End If
    >> >
    >> > Next
    >> >
    >> > Next
    >> >
    >> > iNumProperties = iNumProperties + 1
    >> >
    >> > Next
    >> >
    >> > searcherLdap.Dispose()
    >> >
    >> > searcherLdap = Nothing
    >> >
    >> > deLdapConn.Close()
    >> >
    >> > deLdapConn = Nothing
    >> >
    >> > Catch Ex As Exception
    >> >
    >> > Response.Write(Ex.ToString)
    >> >
    >> > End Try
    >> >
    >> >
    >> >
    >> > Please help me!! THANKS IN ADVANCE!!
    >> >
    >> >

    >>
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Dec 30, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Durairaj Avasi
    Replies:
    0
    Views:
    871
    Durairaj Avasi
    Apr 9, 2004
  2. Amar

    ASP.NET and SASL

    Amar, Jan 5, 2006, in forum: ASP .Net Security
    Replies:
    5
    Views:
    318
    Joe Kaplan \(MVP - ADSI\)
    Jan 6, 2006
  3. Durairaj Avasi

    ssue on Net::LDAP sasl issue on windows 2000.

    Durairaj Avasi, Apr 9, 2004, in forum: Perl Misc
    Replies:
    1
    Views:
    156
    J. Gleixner
    Apr 9, 2004
  4. jean-charles Gibier

    Net::Ldap pb with SASL under multidomain MS Lan.

    jean-charles Gibier, Jul 21, 2008, in forum: Perl Misc
    Replies:
    2
    Views:
    96
    Jean-Charles Gibier
    Jul 21, 2008
  5. Replies:
    1
    Views:
    216
    Uwe Kausch
    Mar 11, 2009
Loading...

Share This Page