Using C# to Authenticate User Against Ldap

Using C# to authenticate user against LDAP

This username, password within this line:

DirectoryEntry("LDAP://myserver/OU=People,O=mycompany", username, password);

should be for an account that has permission for directory lookup. It could be a service account or testing purpose try with your own. This shouldn't be the user/pass of someone who you are trying to authenticate.

If you want to authenticate, you can use following steps using PrincipalContext:

using(var context = new PrincipalContext(ContextType.Domain, "mydomain", "mydomain\serviceAcct", "serviceAcctPass")) {
//Username and password for authentication.
return context.ValidateCredentials(username, password);
}

"serviceAcct" = an account within domain users that has permission for directory lookup.
"serviceAcctPass" = password for that service account.
As I said, for testing you can try with your own user/pass context.

Also, make sure supplied username has either "domain\username" or "username@domain" formatting.

How to authenticate users in C# LDAP

Comment: According to the admin , I have been assigned to the group in AD. But how can I make sure I can access it?

It seems like Active Directory. If so, you could just use PrincipalContext.

public bool ValidateCredentials(string domain, string username, string password)
{
using (var context = new PrincipalContext(ContextType.Domain, domain))
{
return context.ValidateCredentials(username, password);
}
}

public bool IsUserInAdGroup(string domain, string username, string adGroupName)
{
bool result = false;
using (var context = new PrincipalContext(ContextType.Domain, domain))
{
var user = UserPrincipal.FindByIdentity(context, username);
if (user != null)
{
var group = GroupPrincipal.FindByIdentity(context, adGroupName);
if (group != null && user.IsMemberOf(group))
result = true;
}
}
return result;
}

Please make sure to reference System.DirectoryServices.AccountManagement.

How to Authenticate LDAP in .NET

All this can be done with System.DirectoryServices.Protocols. If you create an LdapConnection to the directory you can use the service account to bind with, and then make a subsequent bind to authenticate the credentials.

The service account is generally used to limit access to the authentication mechanism of the server. This way no random person on the street can try to auth with your LDAP server.

Also, do you expect that each user will provide their distinguished name when logging in? With Active Directory, only the sAMAccountName is required, yet other providers like eDirectory and SunONE require the distinguished name for authentication.

To perform this type of authentication, you would need to use the service account that is provided to authenticate to the server, perform a search for a user with the given username, and grab that users distinguished name. You can then authenticate using that distinguished name and the password that was provided.

This will work for all LDAP systems, with the exception of Active Directory which will be happy with just the sAMAccountName.

Authenticate user from specific groups on LDAP server using C#

As confirmed by you in the comment section of this question, the LDAP server you're talking about is an Active Directory server. So, my answer is based on this famous answer about how to validate a username and password against Active Directory, except that I've made a modification based on your requirement to limit the scope of search.

If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace's PrincipalContext Constructor (ContextType, String, String) and easily verify your credentials:

// create a "principal context"
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOUR.DOMAIN",
"OU=Where,OU=You,OU=Wanna,OU=Search,DC=YOUR,DC=DOMAIN"))
// change your container to a base OU where all your users are located.
{
// validate the credentials
bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

Login authentication via LDAP

check these two links, LDAP is using the active directly to authenticate users.

http://msdn.microsoft.com/en-us/library/ff649227.aspx

http://www.codeproject.com/Articles/18742/Simple-Active-Directory-Authentication-Using-LDAP

LDAP and ActiveDirectory authentication in C#

Environment.UserDomainName returns the domain part of Environment.UserName, e.g. "mydomain.com", so you don't want that.

Environment.UserName itself will return the user who is currently "logged in to Windows", i.e. the app pool user - see MSDN.

You are better off checking the identity of the current web request, so in a MVC Controller or WebForms Page, use this.User.

Or if you are using Windows Authentication or hooking Forms Authentication into AD, the current Thread Principal should be the current request user, so you can use Thread.CurrentPrincipal.Identity.



Related Topics



Leave a reply



Submit