LDAP authentication in ASP 3

[TheUser5]

I have been strugging with this one.

I am trying to authenticate users against a LDAP server (Novell). By trial and error, I got following code to work but the issue is that I had to specify the whole ldapPath. i.e. I just want to search the whole LDAP tree for the given userid and authenticate.

Following code won't work if the user is in ou=external or ou=int8.

How can I make it generic so that it will search the whole tree? I tried following, but it didn't work:

ldapServer = "LDAP://servername:389/uid=#username#,dc=mydomain,dc=com"

Thanks in advance for any help.

-----------------

sub login3(userName, password)

Dim ldapServer, dso, lobjUser

On Error resume next

' Construct the FQDN

ldapServer = "LDAP://servername:389/uid=#username#,ou=int7,ou=internal,ou=people,c=us,cn=users,dc=mydomain,dc=com"

ldapServer = replace(ldapServer, "#username#", userName)

' Connect to the LDAP Directory

Set dso = GetObject("LDAP:")

'parse the username
userName = Mid(ldapserver, InStr(8, ldapserver, "/") + 1)
'Validate the User Name and Password
Set lobjUser = dspenDSObject(ldapserver, userName, password, 0)

If Err.number <> 0 Then
Response.Write "<font color=red><STRONG>AUTHENTICATION FAILURE!</STRONG></font>"
Set lobjUser = nothing
Set dso = nothing
Else
Response.Write "<font color=green><STRONG>SUCCESS!</STRONG></font>"
end if

end sub

 

[tsuji]

Hello TheUser5,

If you let user enter the rdn only, you have to use ado active directory provider to search (including subtree) the domain for user's rdn say and return the adspath. It is not guaranteed that the return will be unique. Hence, password has to be authenticated further.

You should google to get fairly stable sample for this (long but very ritual in nature.)

regards - tsuji

 

[markdmac]

tsuji, please pardon my hijacking on this. Is there a way to specify user credentials when doing an LDAP query? I've got a situation where I am using ASP with an LDAP Query. I need to have Authentication turned on so I can grab the users name, but I need the LDAP query to be done with Admin rights. Thanks in advance.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[TheUser5]

tsuji,

Thanks for the info. I'll have been googling for few days and I found some samples, but I am still unable to figure this one out.

I'd appreciate some links or sample routines. Basically I will be passing in uid and the password, and the code should authenticate the user.

Thanks in advance.

 

[markdmac]

Do you have your users in more than one OU? If you know where your users are located I have some code that will return the full distinguished name.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[TheUser5]

markdmac,

The username will only be there in one OU. Company has created multile OUs (ou=int7, int8, int9). userids ending with 7, 8, 9 are in respective OUs.

One more question.. even if the user shows up twice (because he may may belong to multiple groups), would it matter? Since I just want to find him and authenticate using the supplied password. Userids are unique.

Thanks

 

[tsuji]

Hello markdmac,

Can you make the binding with the OpenDSObject method where you can supply "alternative" credential? Something like this.
[tt]
Set dso = GetObject("LDAP:")
Set obj1 = dspenDSObject( _
"LDAP://server1/CN=Dept1,DC=Fabrikam,DC=com", _
szUsername, _
szPassword, _
ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
[/tt]
which I just quote the msdn. Take a look at:

http://msdn.microsoft.com/library/d...s/adsi/adsi/iadsopendsobject_opendsobject.asp

and

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/authentication.asp

Connection via iis, the security model can be quite involved that I hope not to say something stupid before look up the documentation every time. We can also take a look here:

http://support.microsoft.com/kb/158229

regards - tsuji

 

[markdmac]

Thank you Tsuji! Another star for you.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[TheUser5]

Tsuji,

Will this work in ASP?

 

[tsuji]

TheUser5,

It could be made work, that's for sure. The problem for me to understand the user of uid at that position of adspath seems novell-related? If you have userid, there is an attribute to user object called userid. Is it the same?

The general scheme is to bind to the dso then search with the rdn of the user (cn=xxxx) or some attribute (userid) to get to the adspath. Then use the adspath to bind to the object. Still not help to resolve your problem, I know.

- tsuji

 

[markdmac]

Here is the code I used to identify the users full context. All of my users are in one location so you would obviously need to loop through your OUs somehow. I used this in ASP and it works great. Only problem is you ned to have User Authentication turned on for it to work.

I hope to do the binding with the information Tsuji provided so I can then modify the user object.

Tsuji, would I just add your code above my GetObject command or replace that line?

Set WSHNetwork = CreateObject("WScript.Network")

userstring = WSHNetwork.UserName

On error Resume Next

Dim cont' As IADsContainer
Dim usr' As IADsUser

 
Set cont = GetObject("LDAP://CN=Users,DC=Company,DC=local")

' Filter users.
cont.Filter = Array("user")

For Each usr In cont

	thismuch = len(usr.Name)-3
	shortName = Right(usr.Name,thismuch)
	If lcase(shortname) = lcase(userstring) Then
	  ldpath = "LDAP://" & usr.distinguishedName
	End If
Next

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tsuji]

markdmac,

It is something like this.
[tt]
const ADS_SECURE_AUTHENTICATION=&h0001
const ADS_SERVER_BIND=&h0200
set ons=getobject("LDAP:")
set ocontainer=ons.OpenDSObject( _
"LDAP://server1/cn=users,dc=Company,dc=local", _
szUsername, _
szPassword, _
ADS_SECURE_AUTHENTICATION and ADS_SERVER_BIND)
ocontainer.filter=array("user")
for each ouser in ocontainer
response.write "LDAP://" & ouser.distinguishedname
next
[/tt]
The provision of all the variables symbolically coded above should be taken care of by some other code.

Matching a "userstring" which should be acquired through request.form or query string? (It would be hard to see how wshnetwork integrates with this configuration... But you know better.)

- tsuji

 

[markdmac]

Thanks again Tsuji!

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tsuji]

Correction:

The corresponding line should be read:
[tt] ADS_SECURE_AUTHENTICATION [red]or[/red] ADS_SERVER_BIND[/tt]
or equivalent to arithmetic operation "+".

Sorry for the confusion!
- tsuji

 

[markdmac]

Thanks for the update Tsuji. Will give that a try.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[TheUser5]

One more strage thing I noticed. All the person nodes, none of them have the "distinguishedName" or any other standard attributes. All I see is:

ou=int1
uid=111111111
objectclass
employeenumber
givenname
sn
postofficebox
destinationindicator
businesscategory
ou
I
labeleduri
title
postalcode
cn
uid
mail

So, even if I find the user using uid=xxxxx, how can I retrieve it's full path (ditinguishedName) ??

Any ideas?

Thanks

 

[TheUser5]

markdmac,

Thanks for the code. I get following error running your code:

Active Directory error '80070005'
I get "General access denied error"

on "For Each usr In cont" line.

 

[markdmac]

Sounds like you are having the same issue I was having with the permissions. Take a look at the code that Tsuji posted. I've not had a chance to test it yet due to some escalations on other projects. Your general access denied issue seems to support that as the reason you are not seeing the distinguishedName. Each object in AD has to have that so it is there and you just don't have access to read the attribute.

You can verify this by using ADSIEdit and viewing all of the properties of the objects while logged in as Admin.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[TheUser5]

Thanks for the input. I'll give ADSIEdit a try.

I tried IPWorks ASP LDAP component and I am able to find and authenticate the user. The only issue is that the user gets authenticated even with blank or wrong password !!

What am I doing wrong? Here is the code:

-----------------

uid = "xxxx"
pass = "secret"

set ldap = server.createobject("ipworksASP.LDAP")
ldap.servername = "servername"
ldap.DN = "dc=domain,dc=com"
found = false
ldap.search ("uid=" & uid)

while (ldap.NextResult = 1)
found = true
wend

' Authenticate
if found = true then
ldap.DN = ldap.ResultDN
ldap.Password = pass
ldap.Bind()

if (ldap.NextResult = 0) then
if ldap.ResultDescription = "[ok]" then
response.write "AUTHENTICATED"
else
response.write "FAILED"
end if
end if

else
response.write "User not found."
end if

 

[tsuji]

TheUser5,

I had big problem in understanding your construction of ldapServer to start with, that's why I really do not have much to advise fear to mislead you more!

How much confidence do you have you get it right? Is it following some documentation when you set up the ad to have such a structure of path?

Apart from the use of uid at that position (which might relate to novell?), a simple question is the cn=users. Is the object "cn=users,dc=mydomain,dc=com" a container at all? I would recommend you make sure you get it right before proceeding forward full speed.

- tsuji