retrieve LDAP info within webservice

Discussion in 'ASP .Net Web Services' started by Roland Wolters, Jan 10, 2005.

  1. Hi,

    Using wse2.0 a user logs on to my application. The webservice runs
    within the domain, the user does not (not allways). So I use the
    websrvice to read from the central database and to veryfy the
    username/pasword. Doing that I want to return the full name for the
    user.

    To do this I wrote (well, partially find it on the internet ;-)) this
    method:

    public static String GetLDAPName(String userAccount)
    {
    DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
    String account =userAccount.Replace(@"@xxx", "");
    try
    {
    DirectorySearcher search = new DirectorySearcher(entry);
    search.Filter = "(SAMAccountName=" + account + ")";
    search.PropertiesToLoad.Add("displayName");
    SearchResult result = search.FindOne();

    if( result != null )
    {
    return result.Properties["displayname"][0].ToString();
    }
    else
    {
    return "Unknown User";
    }
    }
    catch( Exception ex )
    {
    return ex.Message;
    }
    }

    If I try it, it allways returns "an operations error occured". That's
    good info isn't it!! NOT!

    To find out if the method is wrong I also put it in a windows app and
    testied it on another machine (no visual studio installed, just x-copy
    deployed) in the same domein as the webserver. Without having to set any
    trusts it ran fine!

    What's wrong here? Is this a matter of setting permissions on the
    webserver? And what would that be?


    MAzzel,


    Roland
    --
    ---
    Roland Wolters
    http://www.habbiebabbie.net
    ***** Please react via UseNet only ********


    --
    ---
    Roland Wolters
    http://www.habbiebabbie.net
    ***** Please react via UseNet only ********
     
    Roland Wolters, Jan 10, 2005
    #1
    1. Advertising

  2. Hello Roland,

    Need to make sure that the account ASP.net runs under has been set up
    as a user in LDAP
    HTH
    Regards,
    Dilip Krishnan
    MCAD, MCSD.net
    dkrishnan at geniant dot com
    http://www.geniant.com

    > Hi,
    >
    > Using wse2.0 a user logs on to my application. The webservice runs
    > within the domain, the user does not (not allways). So I use the
    > websrvice to read from the central database and to veryfy the
    > username/pasword. Doing that I want to return the full name for the
    > user.
    >
    > To do this I wrote (well, partially find it on the internet ;-)) this
    > method:
    >
    > public static String GetLDAPName(String userAccount)
    > {
    > DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
    > String account =userAccount.Replace(@"@xxx", "");
    > try
    > {
    > DirectorySearcher search = new DirectorySearcher(entry);
    > search.Filter = "(SAMAccountName=" + account + ")";
    > search.PropertiesToLoad.Add("displayName");
    > SearchResult result = search.FindOne();
    > if( result != null )
    > {
    > return result.Properties["displayname"][0].ToString();
    > }
    > else
    > {
    > return "Unknown User";
    > }
    > }
    > catch( Exception ex )
    > {
    > return ex.Message;
    > }
    > }
    > If I try it, it allways returns "an operations error occured". That's
    > good info isn't it!! NOT!
    >
    > To find out if the method is wrong I also put it in a windows app and
    > testied it on another machine (no visual studio installed, just x-copy
    > deployed) in the same domein as the webserver. Without having to set
    > any trusts it ran fine!
    >
    > What's wrong here? Is this a matter of setting permissions on the
    > webserver? And what would that be?
    >
    > MAzzel,
    >
    > Roland
    >
     
    Dilip Krishnan, Jan 11, 2005
    #2
    1. Advertising

  3. Dilip Krishnan <> wrote in
    news::

    Hi,

    The user running the webservice has not been set as a user in LDAP. The
    admin is not going to change this.

    Is there a way around this? I do have a valid authenticated
    usernametoken. Can I use this to read the full name for that user? Maybe
    use impersonation via this username token? how?


    Roland


    > Hello Roland,
    >
    > Need to make sure that the account ASP.net runs under has been set

    up
    > as a user in LDAP
    > HTH
    > Regards,
    > Dilip Krishnan
    > MCAD, MCSD.net
    > dkrishnan at geniant dot com
    > http://www.geniant.com
    >
    >> Hi,
    >>
    >> Using wse2.0 a user logs on to my application. The webservice runs
    >> within the domain, the user does not (not allways). So I use the
    >> websrvice to read from the central database and to veryfy the
    >> username/pasword. Doing that I want to return the full name for the
    >> user.
    >>
    >> To do this I wrote (well, partially find it on the internet ;-)) this
    >> method:
    >>
    >> public static String GetLDAPName(String userAccount)
    >> {
    >> DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
    >> String account =userAccount.Replace(@"@xxx", "");
    >> try
    >> {
    >> DirectorySearcher search = new DirectorySearcher(entry);
    >> search.Filter = "(SAMAccountName=" + account + ")";
    >> search.PropertiesToLoad.Add("displayName");
    >> SearchResult result = search.FindOne();
    >> if( result != null )
    >> {
    >> return result.Properties["displayname"][0].ToString();
    >> }
    >> else
    >> {
    >> return "Unknown User";
    >> }
    >> }
    >> catch( Exception ex )
    >> {
    >> return ex.Message;
    >> }
    >> }
    >> If I try it, it allways returns "an operations error occured". That's
    >> good info isn't it!! NOT!
    >>
    >> To find out if the method is wrong I also put it in a windows app and
    >> testied it on another machine (no visual studio installed, just x-

    copy
    >> deployed) in the same domein as the webserver. Without having to set
    >> any trusts it ran fine!
    >>
    >> What's wrong here? Is this a matter of setting permissions on the
    >> webserver? And what would that be?
    >>
    >> MAzzel,
    >>
    >> Roland
    >>

    >
    >
    >




    --
    ---
    Roland Wolters
    http://www.habbiebabbie.net
    ***** Please react via UseNet only ********
     
    Roland Wolters, Jan 11, 2005
    #3
  4. Roland Wolters

    HG Guest

    Hello Roland

    Maybe you're better off asking in the aspnet.security group. I know there
    have been a lot discussion of the "multi-hop" issue, especially then
    retrieving information from AD.

    Not much help, but give it a try.

    Regards
    Henrik
    http://websolver.blogspot.com


    "Roland Wolters" <> skrev i en meddelelse
    news:Xns95DB6A9A1AFDEwoltersictnl@207.46.248.16...
    > Dilip Krishnan <> wrote in
    > news::
    >
    > Hi,
    >
    > The user running the webservice has not been set as a user in LDAP. The
    > admin is not going to change this.
    >
    > Is there a way around this? I do have a valid authenticated
    > usernametoken. Can I use this to read the full name for that user? Maybe
    > use impersonation via this username token? how?
    >
    >
    > Roland
    >
    >
    > > Hello Roland,
    > >
    > > Need to make sure that the account ASP.net runs under has been set

    > up
    > > as a user in LDAP
    > > HTH
    > > Regards,
    > > Dilip Krishnan
    > > MCAD, MCSD.net
    > > dkrishnan at geniant dot com
    > > http://www.geniant.com
    > >
    > >> Hi,
    > >>
    > >> Using wse2.0 a user logs on to my application. The webservice runs
    > >> within the domain, the user does not (not allways). So I use the
    > >> websrvice to read from the central database and to veryfy the
    > >> username/pasword. Doing that I want to return the full name for the
    > >> user.
    > >>
    > >> To do this I wrote (well, partially find it on the internet ;-)) this
    > >> method:
    > >>
    > >> public static String GetLDAPName(String userAccount)
    > >> {
    > >> DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
    > >> String account =userAccount.Replace(@"@xxx", "");
    > >> try
    > >> {
    > >> DirectorySearcher search = new DirectorySearcher(entry);
    > >> search.Filter = "(SAMAccountName=" + account + ")";
    > >> search.PropertiesToLoad.Add("displayName");
    > >> SearchResult result = search.FindOne();
    > >> if( result != null )
    > >> {
    > >> return result.Properties["displayname"][0].ToString();
    > >> }
    > >> else
    > >> {
    > >> return "Unknown User";
    > >> }
    > >> }
    > >> catch( Exception ex )
    > >> {
    > >> return ex.Message;
    > >> }
    > >> }
    > >> If I try it, it allways returns "an operations error occured". That's
    > >> good info isn't it!! NOT!
    > >>
    > >> To find out if the method is wrong I also put it in a windows app and
    > >> testied it on another machine (no visual studio installed, just x-

    > copy
    > >> deployed) in the same domein as the webserver. Without having to set
    > >> any trusts it ran fine!
    > >>
    > >> What's wrong here? Is this a matter of setting permissions on the
    > >> webserver? And what would that be?
    > >>
    > >> MAzzel,
    > >>
    > >> Roland
    > >>

    > >
    > >
    > >

    >
    >
    >
    > --
    > ---
    > Roland Wolters
    > http://www.habbiebabbie.net
    > ***** Please react via UseNet only ********
     
    HG, Jan 11, 2005
    #4
  5. Hello Roland,

    > Dilip Krishnan <> wrote in
    > news::
    >
    > Hi,
    >
    > The user running the webservice has not been set as a user in LDAP.
    > The admin is not going to change this.
    >
    > Is there a way around this? I do have a valid authenticated
    > usernametoken. Can I use this to read the full name for that user?
    > Maybe use impersonation via this username token? how?
    >


    Yes you could setup the username token to authenticate against windows domain
    (no custom username token manager). You will probably have to jump a few
    hoops to get that user to impersonate as the web service identity however.
    This is because of the subtle difference in transport based security and
    soap based security, which we will not go into here. The easiest way to go
    about this is use a surrogate user that is provisioned in LDAP and use that
    account to connect always. That way you dont have to provision users for
    each web server you have.

    > Roland
    >

    HTH
    Regards,
    Dilip Krishnan
    MCAD, MCSD.net
    dkrishnan at geniant dot com
    http://www.geniant.com
     
    Dilip Krishnan, Jan 11, 2005
    #5
  6. Roland Wolters

    Shaun Guest

    I'm having this exact same problem. Roland have you found a solution to it?
    Basically I can get info from when not using a trust connection (SSL). But
    when I try to enable trust connection it just doesn't work. Tracing through
    the code I can tell that it does "connect" to the ldap server but when it
    tries to bind a user/pass to it, it gives an exception.

    Another thing I noticed is that if I DON'T use it as a webservice and use it
    as a class driver, everything works fine and dandy.

    Does anyone have any solution? About the user impersonating as a webservice
    "solution" above. Can you tell me what I have to do step by step?

    Thanks

    "Dilip Krishnan" wrote:

    > Hello Roland,
    >
    > > Dilip Krishnan <> wrote in
    > > news::
    > >
    > > Hi,
    > >
    > > The user running the webservice has not been set as a user in LDAP.
    > > The admin is not going to change this.
    > >
    > > Is there a way around this? I do have a valid authenticated
    > > usernametoken. Can I use this to read the full name for that user?
    > > Maybe use impersonation via this username token? how?
    > >

    >
    > Yes you could setup the username token to authenticate against windows domain
    > (no custom username token manager). You will probably have to jump a few
    > hoops to get that user to impersonate as the web service identity however.
    > This is because of the subtle difference in transport based security and
    > soap based security, which we will not go into here. The easiest way to go
    > about this is use a surrogate user that is provisioned in LDAP and use that
    > account to connect always. That way you dont have to provision users for
    > each web server you have.
    >
    > > Roland
    > >

    > HTH
    > Regards,
    > Dilip Krishnan
    > MCAD, MCSD.net
    > dkrishnan at geniant dot com
    > http://www.geniant.com
    >
    >
    >
    >
     
    Shaun, May 16, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    558
    Raymond DeCampo
    Feb 21, 2006
  2. rcmn
    Replies:
    1
    Views:
    378
    =?ISO-8859-1?Q?Michael_Str=F6der?=
    Nov 6, 2006
  3. René Preußler

    Asynchronous Call of WebService method within a WebService

    René Preußler, Oct 29, 2008, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    216
    René Preußler
    Oct 29, 2008
  4. Jason Wold

    using LDAP Controls in ruby-ldap

    Jason Wold, Nov 4, 2004, in forum: Ruby
    Replies:
    5
    Views:
    285
  5. Ian Macdonald
    Replies:
    0
    Views:
    243
    Ian Macdonald
    Mar 15, 2005
Loading...

Share This Page