Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > LDAP and SASL

Reply
Thread Tools

LDAP and SASL

 
 
Amar
Guest
Posts: n/a
 
      12-28-2005
I am a newbie with enterprise directories. I am trying to write an ASP.NET
application to fetch some data from my university LDAP enterprise directory.
There are 2 types of access allowed to the LDAP server. One is a anonymous
access and another is the access that exists mainly to give privileged
accounts access to person information that can otherwise not be publicly
viewed. These privileged accounts, called Y Services, are primarily used to
look up person data and authorize people on this data.

Now, i was able to use the anonymous access priviliges and view the data
from LDAP server. What i want to do is to use the Y services and view the
person information that cannot be accessed via the anonymous access. For
example i want to view the date of birth for the person which is available in
the Y Services access.

The university instructions say the following:

What you see in Y Services is dependent on how you bind (anonymous, simple,
SASL EXTERNAL) and the amount of privileges the bound user has. Connecting to
Y Services requires the use of TLS client certificate authentication, meaning
you must have a signed certificate from the uiniversity in order to connect.
Users bound anonymously can only search on ID and can only see the DN
(distinguished name) of any user. Users that have performed a SASL EXTERNAL
bind can only see those attributes they have been approved to see (for all
users), and only if the corresponding service is ACTIVE.

Now, i know that the TLS client certificate has been installed on my server
by my Sys admin. Please tell me the steps to do the bind and fetch the date
of birth for all people in department X.

Here is the anonymous bind code.

Dim deLdapConn As DirectoryEntry = New
DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")

Dim searcherLdap As New DirectorySearcher(deLdapConn)

Dim Results As SearchResultCollection

Dim propcoll As ResultPropertyCollection

Dim Result As SearchResult

Dim strKey As String

Dim obProp As Object

iNumProperties = 0



Try

searcherLdap.Filter = "(department=X)"

searcherLdap.PropertiesToLoad.Add("sn")

searcherLdap.PropertiesToLoad.Add("givenname")

searcherLdap.PropertiesToLoad.Add("telephonenumber ")

searcherLdap.PropertiesToLoad.Add("uupid")

Results = searcherLdap.FindAll

iNumProperties = Results.Count()

ReDim arrFName(iNumProperties - 1)

ReDim arrLName(iNumProperties - 1)

ReDim arrPhone(iNumProperties - 1)

ReDim arrEmail(iNumProperties - 1)

ReDim arrDob(iNumProperties - 1)

iNumProperties = 0 ' Sets the start index for arrays

For Each Result In Results ' Starts the loop where result stores 1 record
and resultS stores all records

propcoll = Result.Properties ' Gets the all the properties (fieldnames) for
that record

For Each strKey In propcoll.PropertyNames ' Loop through each field name for
the selected record

iOnce = 0

For Each obProp In propcoll(strKey)

If strKey = "givenname" Then

arrFName(iNumProperties) = obProp

End If

If strKey = "sn" Then

arrLName(iNumProperties) = obProp


End If

If strKey = "telephonenumber" Then


arrPhone(iNumProperties) = obProp

End If

If strKey = "uupid" Then

arrEmail(iNumProperties) = obProp

End If

Next

Next

iNumProperties = iNumProperties + 1

Next

searcherLdap.Dispose()

searcherLdap = Nothing

deLdapConn.Close()

deLdapConn = Nothing

Catch Ex As Exception

Response.Write(Ex.ToString)

End Try



Please help me!! THANKS IN ADVANCE!!


 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      12-29-2005
Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
ADSI and the LDAP API will happily try to supply a client cert during the
LDAP SSL handshake if one is available and configured correctly.

Joe K.
"Amar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am a newbie with enterprise directories. I am trying to write an ASP.NET
> application to fetch some data from my university LDAP enterprise
> directory.
> There are 2 types of access allowed to the LDAP server. One is a anonymous
> access and another is the access that exists mainly to give privileged
> accounts access to person information that can otherwise not be publicly
> viewed. These privileged accounts, called Y Services, are primarily used
> to
> look up person data and authorize people on this data.
>
> Now, i was able to use the anonymous access priviliges and view the data
> from LDAP server. What i want to do is to use the Y services and view the
> person information that cannot be accessed via the anonymous access. For
> example i want to view the date of birth for the person which is available
> in
> the Y Services access.
>
> The university instructions say the following:
>
> What you see in Y Services is dependent on how you bind (anonymous,
> simple,
> SASL EXTERNAL) and the amount of privileges the bound user has. Connecting
> to
> Y Services requires the use of TLS client certificate authentication,
> meaning
> you must have a signed certificate from the uiniversity in order to
> connect.
> Users bound anonymously can only search on ID and can only see the DN
> (distinguished name) of any user. Users that have performed a SASL
> EXTERNAL
> bind can only see those attributes they have been approved to see (for all
> users), and only if the corresponding service is ACTIVE.
>
> Now, i know that the TLS client certificate has been installed on my
> server
> by my Sys admin. Please tell me the steps to do the bind and fetch the
> date
> of birth for all people in department X.
>
> Here is the anonymous bind code.
>
> Dim deLdapConn As DirectoryEntry = New
> DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")
>
> Dim searcherLdap As New DirectorySearcher(deLdapConn)
>
> Dim Results As SearchResultCollection
>
> Dim propcoll As ResultPropertyCollection
>
> Dim Result As SearchResult
>
> Dim strKey As String
>
> Dim obProp As Object
>
> iNumProperties = 0
>
>
>
> Try
>
> searcherLdap.Filter = "(department=X)"
>
> searcherLdap.PropertiesToLoad.Add("sn")
>
> searcherLdap.PropertiesToLoad.Add("givenname")
>
> searcherLdap.PropertiesToLoad.Add("telephonenumber ")
>
> searcherLdap.PropertiesToLoad.Add("uupid")
>
> Results = searcherLdap.FindAll
>
> iNumProperties = Results.Count()
>
> ReDim arrFName(iNumProperties - 1)
>
> ReDim arrLName(iNumProperties - 1)
>
> ReDim arrPhone(iNumProperties - 1)
>
> ReDim arrEmail(iNumProperties - 1)
>
> ReDim arrDob(iNumProperties - 1)
>
> iNumProperties = 0 ' Sets the start index for arrays
>
> For Each Result In Results ' Starts the loop where result stores 1 record
> and resultS stores all records
>
> propcoll = Result.Properties ' Gets the all the properties (fieldnames)
> for
> that record
>
> For Each strKey In propcoll.PropertyNames ' Loop through each field name
> for
> the selected record
>
> iOnce = 0
>
> For Each obProp In propcoll(strKey)
>
> If strKey = "givenname" Then
>
> arrFName(iNumProperties) = obProp
>
> End If
>
> If strKey = "sn" Then
>
> arrLName(iNumProperties) = obProp
>
>
> End If
>
> If strKey = "telephonenumber" Then
>
>
> arrPhone(iNumProperties) = obProp
>
> End If
>
> If strKey = "uupid" Then
>
> arrEmail(iNumProperties) = obProp
>
> End If
>
> Next
>
> Next
>
> iNumProperties = iNumProperties + 1
>
> Next
>
> searcherLdap.Dispose()
>
> searcherLdap = Nothing
>
> deLdapConn.Close()
>
> deLdapConn = Nothing
>
> Catch Ex As Exception
>
> Response.Write(Ex.ToString)
>
> End Try
>
>
>
> Please help me!! THANKS IN ADVANCE!!
>
>



 
Reply With Quote
 
 
 
 
Amar
Guest
Posts: n/a
 
      12-29-2005
Thanks Joe. I did try specifying the authentication types. But when i read
your reply, i do have reason to believe that there is some problem with the
client cert. Can you please tell us the steps to make our website use the
client certificate. Let me give you a brief status.
My system administrator requested 2 certificates from the university central
computing resources. One was a SSL server certificate and another was a
client certificate which was provided by the group that handles the
enterprise directory on campus.
My sys admin installed both those certificates on the webserver. When we run
the Certificates.msc console, we can see both the certificates listed under
the folder listing Certificates-Personal-Certificates-Both present here.
Now how do i make my website make use of these certificates? Do i have to
make some special changes to my website on IIS? I use IIS6.0 on windows 2003
server and use my laptop with VS.NET 2003 to work remotely on the server.
Thank you so much Joe. Really appreciate your help.

"Joe Kaplan (MVP - ADSI)" wrote:

> Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
> ADSI and the LDAP API will happily try to supply a client cert during the
> LDAP SSL handshake if one is available and configured correctly.
>
> Joe K.
> "Amar" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I am a newbie with enterprise directories. I am trying to write an ASP.NET
> > application to fetch some data from my university LDAP enterprise
> > directory.
> > There are 2 types of access allowed to the LDAP server. One is a anonymous
> > access and another is the access that exists mainly to give privileged
> > accounts access to person information that can otherwise not be publicly
> > viewed. These privileged accounts, called Y Services, are primarily used
> > to
> > look up person data and authorize people on this data.
> >
> > Now, i was able to use the anonymous access priviliges and view the data
> > from LDAP server. What i want to do is to use the Y services and view the
> > person information that cannot be accessed via the anonymous access. For
> > example i want to view the date of birth for the person which is available
> > in
> > the Y Services access.
> >
> > The university instructions say the following:
> >
> > What you see in Y Services is dependent on how you bind (anonymous,
> > simple,
> > SASL EXTERNAL) and the amount of privileges the bound user has. Connecting
> > to
> > Y Services requires the use of TLS client certificate authentication,
> > meaning
> > you must have a signed certificate from the uiniversity in order to
> > connect.
> > Users bound anonymously can only search on ID and can only see the DN
> > (distinguished name) of any user. Users that have performed a SASL
> > EXTERNAL
> > bind can only see those attributes they have been approved to see (for all
> > users), and only if the corresponding service is ACTIVE.
> >
> > Now, i know that the TLS client certificate has been installed on my
> > server
> > by my Sys admin. Please tell me the steps to do the bind and fetch the
> > date
> > of birth for all people in department X.
> >
> > Here is the anonymous bind code.
> >
> > Dim deLdapConn As DirectoryEntry = New
> > DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")
> >
> > Dim searcherLdap As New DirectorySearcher(deLdapConn)
> >
> > Dim Results As SearchResultCollection
> >
> > Dim propcoll As ResultPropertyCollection
> >
> > Dim Result As SearchResult
> >
> > Dim strKey As String
> >
> > Dim obProp As Object
> >
> > iNumProperties = 0
> >
> >
> >
> > Try
> >
> > searcherLdap.Filter = "(department=X)"
> >
> > searcherLdap.PropertiesToLoad.Add("sn")
> >
> > searcherLdap.PropertiesToLoad.Add("givenname")
> >
> > searcherLdap.PropertiesToLoad.Add("telephonenumber ")
> >
> > searcherLdap.PropertiesToLoad.Add("uupid")
> >
> > Results = searcherLdap.FindAll
> >
> > iNumProperties = Results.Count()
> >
> > ReDim arrFName(iNumProperties - 1)
> >
> > ReDim arrLName(iNumProperties - 1)
> >
> > ReDim arrPhone(iNumProperties - 1)
> >
> > ReDim arrEmail(iNumProperties - 1)
> >
> > ReDim arrDob(iNumProperties - 1)
> >
> > iNumProperties = 0 ' Sets the start index for arrays
> >
> > For Each Result In Results ' Starts the loop where result stores 1 record
> > and resultS stores all records
> >
> > propcoll = Result.Properties ' Gets the all the properties (fieldnames)
> > for
> > that record
> >
> > For Each strKey In propcoll.PropertyNames ' Loop through each field name
> > for
> > the selected record
> >
> > iOnce = 0
> >
> > For Each obProp In propcoll(strKey)
> >
> > If strKey = "givenname" Then
> >
> > arrFName(iNumProperties) = obProp
> >
> > End If
> >
> > If strKey = "sn" Then
> >
> > arrLName(iNumProperties) = obProp
> >
> >
> > End If
> >
> > If strKey = "telephonenumber" Then
> >
> >
> > arrPhone(iNumProperties) = obProp
> >
> > End If
> >
> > If strKey = "uupid" Then
> >
> > arrEmail(iNumProperties) = obProp
> >
> > End If
> >
> > Next
> >
> > Next
> >
> > iNumProperties = iNumProperties + 1
> >
> > Next
> >
> > searcherLdap.Dispose()
> >
> > searcherLdap = Nothing
> >
> > deLdapConn.Close()
> >
> > deLdapConn = Nothing
> >
> > Catch Ex As Exception
> >
> > Response.Write(Ex.ToString)
> >
> > End Try
> >
> >
> >
> > Please help me!! THANKS IN ADVANCE!!
> >
> >

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      12-30-2005
Getting client certficates to work under ASP.NET is a bit of PITA because
the private key for the cert is usually stored in the user's profile and
that won't be loaded in the context of ASP.NET. The private key needs to be
installed in the machine store instead.

What I would suggest doing would be to export the certificate and private
key from your personal store and make sure it is installed in the machine
store.

Then, the next thing to do is to make sure that the account that is being
used to execute the request has permissions on the private key. This is
much trickier part as there are many different options for what that account
might be depending on how you have configured the web app. You can find out
the identity of the current thread with
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.

I think it would be best to try to make sure you can get the LDAP client
certificate thing working in a console app first before trying to move it
into an ASP.NET context though. There is no telling whether that part alone
will work correctly. Hopefully there won't be an issue, but you want to try
to isolate that from the web app while that is still an unknown.

Joe K.

"Amar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks Joe. I did try specifying the authentication types. But when i read
> your reply, i do have reason to believe that there is some problem with
> the
> client cert. Can you please tell us the steps to make our website use the
> client certificate. Let me give you a brief status.
> My system administrator requested 2 certificates from the university
> central
> computing resources. One was a SSL server certificate and another was a
> client certificate which was provided by the group that handles the
> enterprise directory on campus.
> My sys admin installed both those certificates on the webserver. When we
> run
> the Certificates.msc console, we can see both the certificates listed
> under
> the folder listing Certificates-Personal-Certificates-Both present here.
> Now how do i make my website make use of these certificates? Do i have to
> make some special changes to my website on IIS? I use IIS6.0 on windows
> 2003
> server and use my laptop with VS.NET 2003 to work remotely on the server.
> Thank you so much Joe. Really appreciate your help.
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
>> ADSI and the LDAP API will happily try to supply a client cert during the
>> LDAP SSL handshake if one is available and configured correctly.
>>
>> Joe K.
>> "Amar" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> >I am a newbie with enterprise directories. I am trying to write an
>> >ASP.NET
>> > application to fetch some data from my university LDAP enterprise
>> > directory.
>> > There are 2 types of access allowed to the LDAP server. One is a
>> > anonymous
>> > access and another is the access that exists mainly to give privileged
>> > accounts access to person information that can otherwise not be
>> > publicly
>> > viewed. These privileged accounts, called Y Services, are primarily
>> > used
>> > to
>> > look up person data and authorize people on this data.
>> >
>> > Now, i was able to use the anonymous access priviliges and view the
>> > data
>> > from LDAP server. What i want to do is to use the Y services and view
>> > the
>> > person information that cannot be accessed via the anonymous access.
>> > For
>> > example i want to view the date of birth for the person which is
>> > available
>> > in
>> > the Y Services access.
>> >
>> > The university instructions say the following:
>> >
>> > What you see in Y Services is dependent on how you bind (anonymous,
>> > simple,
>> > SASL EXTERNAL) and the amount of privileges the bound user has.
>> > Connecting
>> > to
>> > Y Services requires the use of TLS client certificate authentication,
>> > meaning
>> > you must have a signed certificate from the uiniversity in order to
>> > connect.
>> > Users bound anonymously can only search on ID and can only see the DN
>> > (distinguished name) of any user. Users that have performed a SASL
>> > EXTERNAL
>> > bind can only see those attributes they have been approved to see (for
>> > all
>> > users), and only if the corresponding service is ACTIVE.
>> >
>> > Now, i know that the TLS client certificate has been installed on my
>> > server
>> > by my Sys admin. Please tell me the steps to do the bind and fetch the
>> > date
>> > of birth for all people in department X.
>> >
>> > Here is the anonymous bind code.
>> >
>> > Dim deLdapConn As DirectoryEntry = New
>> > DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")
>> >
>> > Dim searcherLdap As New DirectorySearcher(deLdapConn)
>> >
>> > Dim Results As SearchResultCollection
>> >
>> > Dim propcoll As ResultPropertyCollection
>> >
>> > Dim Result As SearchResult
>> >
>> > Dim strKey As String
>> >
>> > Dim obProp As Object
>> >
>> > iNumProperties = 0
>> >
>> >
>> >
>> > Try
>> >
>> > searcherLdap.Filter = "(department=X)"
>> >
>> > searcherLdap.PropertiesToLoad.Add("sn")
>> >
>> > searcherLdap.PropertiesToLoad.Add("givenname")
>> >
>> > searcherLdap.PropertiesToLoad.Add("telephonenumber ")
>> >
>> > searcherLdap.PropertiesToLoad.Add("uupid")
>> >
>> > Results = searcherLdap.FindAll
>> >
>> > iNumProperties = Results.Count()
>> >
>> > ReDim arrFName(iNumProperties - 1)
>> >
>> > ReDim arrLName(iNumProperties - 1)
>> >
>> > ReDim arrPhone(iNumProperties - 1)
>> >
>> > ReDim arrEmail(iNumProperties - 1)
>> >
>> > ReDim arrDob(iNumProperties - 1)
>> >
>> > iNumProperties = 0 ' Sets the start index for arrays
>> >
>> > For Each Result In Results ' Starts the loop where result stores 1
>> > record
>> > and resultS stores all records
>> >
>> > propcoll = Result.Properties ' Gets the all the properties (fieldnames)
>> > for
>> > that record
>> >
>> > For Each strKey In propcoll.PropertyNames ' Loop through each field
>> > name
>> > for
>> > the selected record
>> >
>> > iOnce = 0
>> >
>> > For Each obProp In propcoll(strKey)
>> >
>> > If strKey = "givenname" Then
>> >
>> > arrFName(iNumProperties) = obProp
>> >
>> > End If
>> >
>> > If strKey = "sn" Then
>> >
>> > arrLName(iNumProperties) = obProp
>> >
>> >
>> > End If
>> >
>> > If strKey = "telephonenumber" Then
>> >
>> >
>> > arrPhone(iNumProperties) = obProp
>> >
>> > End If
>> >
>> > If strKey = "uupid" Then
>> >
>> > arrEmail(iNumProperties) = obProp
>> >
>> > End If
>> >
>> > Next
>> >
>> > Next
>> >
>> > iNumProperties = iNumProperties + 1
>> >
>> > Next
>> >
>> > searcherLdap.Dispose()
>> >
>> > searcherLdap = Nothing
>> >
>> > deLdapConn.Close()
>> >
>> > deLdapConn = Nothing
>> >
>> > Catch Ex As Exception
>> >
>> > Response.Write(Ex.ToString)
>> >
>> > End Try
>> >
>> >
>> >
>> > Please help me!! THANKS IN ADVANCE!!
>> >
>> >

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Net::SMTP_auth and Authen::SASL / PPM time_error@hotmail.com Perl Misc 1 03-11-2009 04:56 PM
Net::Ldap pb with SASL under multidomain MS Lan. jean-charles Gibier Perl Misc 2 07-21-2008 07:59 PM
ASP.NET and SASL Amar ASP .Net Security 5 01-06-2006 04:26 PM
ssue on Net::LDAP sasl issue on windows 2000. Durairaj Avasi Perl Misc 1 04-09-2004 05:12 PM
LDAP_STRONG_AUTH_REQUIRED sasl issue with open ldap. Durairaj Avasi Perl 0 04-09-2004 02:08 PM



Advertisments