Authentication against Active Directory and Edirectory via LDAP

Introduction
Background
Functionality Supported
Requirements
Optional Tool
Using the Code
The Code
Points of Interest
HOW-TO use this Demo
Conclusion

Figure 1.0 - This is the main window where users login.

Introduction

This article covers HOW-TO authenticate against Microsoft Active Directory and Novell Edirectory via LDAP.

It is not easy to find an article that talks about how to authenticate users against both MS Active Directory and Novell Edirectory via LDAP. In short, LDAP stands for Lightweight Directory Access Protocol. It is a subset of Directory Access Protocol or DAP. University of Michigan developed it because DAP took up a lot of resources. Anyways, this article goes through all of the necessary steps to start authenticating users against both directory services.

Go to Contents

Functionality Supported

Authentication against MS Active Directory
Authentication against Novell E-Directory

Go to Contents

Requirements

A Server running Active Directory
A Server running Edirectory
Familiarity with LDAP and how entities are addressed

Go to Contents

Optional Tool

Adsvw.exe by Microsoft - This utility allows user to browse LDAP directory. It comes as part of ADSI SDK or as part of support tools in advanced server. It is very helpful when users are trying to find how entities should be referenced. Here is a little tip. If the user was to use it to browse active directory, then make sure Secure Connection is checked. When it comes to Edirectory the check should be on Use Encryp option.

Go to Contents

Using the code

First, add a reference to System.DirectoryServices by going to Project -> Add Reference. When this is done the dialog box as shown by figure 2.0 should display. Under .NET tab click on System.DirectoryServices.dll and click Select. Then click on OK to get back to the project.

Figure 2.0 - This is the dialog where user selects the reference.

In this solution, there is a class namely Authenticate. It is contained inside the file called Authenticate.cs. You should add it to your project or copy and paste the class from The Code section. Create a new instance of Authenticate and assign it to aAuthent. Several values needed to be initialized before doing the actual login.

Authenticate aAuthent = new Authenticate();

I'll be referring to various widgets from this point. There are 3 text edit and 2 radio button widgets you need to worry about. Please map the direction appropriately in your workspace. Set the Domain name to the value held by txtDomain widget by invoking SetDomain. This is where user entered IP address (i.e. 10.x.x.x) or host name (i.e. mydomain.com) of the target server. Note, that all but one Set/Modifier methods in this class returns boolean. It just indicates whether it modified the variable successfully or not. This may be against the convention, but, checking the argument inside the function was much more favorable to me instead of duplicating the effort elsewhere.

if (!(aAuthent.SetDomain(this.txtDomain.Text)))
{
    // error message here
}

Then, invoke SetUser function to take in the value of text widget txtUser. This is where user name is supplied.

if (!(aAuthent.SetUser(this.txtUser.Text)))
{
    // error message here
}

After that, call SetPass function to pass the value of txtPassword. This is where user password is supplied.

if (!(aAuthent.SetPass(this.txtPassword.Text)))
{
    // error message here
}

Next, check which directory this user desires to authenticate against. In this solution, there are two radio buttons namely rbtnED and rbtnAD. If the former is checked then invoke SetAuthenticationType with the argument set to true. This will tell the Authenticate class to use Secure Socket Layer or SSL. Edirectory uses ssl protocol to perform authentication task. In the latter case, the boolean value false would instruct the class to use Secure. Active Directory utilizes the secure method. The internal of those communication protocols or methods are outside the scope of this article. Therefore, I will skip them.

if (this.rbtnED.Checked)
  aAuthent.SetAuthenticationType(true);r>
else if (this.rbtnAD.Checked)
  aAuthent.SetAuthenticationType(false);

Finally, the Login function inside this class should be invoked. It handles everything from this point. On success, it will welcome the user; other wise display failure message.

aAuthent.Login();

Go to Contents

The Code

 
  /// <summary>
  /// This class performs user authentication against Active Directory and
  /// Novell Edirectory.
  /// </summary>
  public class Authenticate
  {
    /// <summary>
    /// string specifying user name
    /// </summary>
    private string strUser;
      
    /// <summary>
    /// string specifying user password
    /// </summary>
    private string strPass;
      
    /// <summary>
    /// string specifying user domain
    /// </summary>
    private string strDomain;      
    
    /// <summary>
    /// AuthenticationTypes specifying the security 
    /// protocol to use, i.e. Secure, SSL
    /// </summary>
    private AuthenticationTypes atAuthentType;
      
    /// <summary>
    /// default constructor
    /// </summary>
    public Authenticate()
    {
    }
        
    /// <summary>
    /// function that sets the domain name
    /// </summary>
    /// <param name="strValue"></param>
    /// <returns>It returns true, if user passed 
    ///            something; otherwise, false </returns>
    public bool SetDomain(string strValue)
    {
      if (strValue.Length <= 0)
        return false;
        
      this.strDomain = "LDAP://" + strValue;
      return true;
    }
     
    /// <summary>
    /// function that sets user name
    /// </summary>
    /// <param name="strValue"></param>
    /// <returns>It returns true, if user passed 
    ///          something; otherwise, false </returns>
    public bool SetUser(string strValue)
    {
      if (strValue.Length <= 0)
        return false;
        
      this.strUser = strValue;
      return true;
    }
    
    /// <summary>
    /// function that sets user password
    /// </summary>
    /// <param name="strValue"></param>
    /// <returns>It returns true, if user passed 
    ///          something; otherwise, false </returns>
    public bool SetPass(string strValue)
    {
      if (strValue.Length <= 0)
        return false;
        
      this.strPass = strValue;
      return true;
    }
    
    /// <summary>
    /// function that sets user authentication type
    /// </summary>
    /// <param name="bValue"></param>
    public void SetAuthenticationType(bool bValue)
    {
      // set ssl to true if true is found
      if (bValue)
        atAuthentType = AuthenticationTypes.SecureSocketsLayer;
      // otherwise set it to secure  
      else
        atAuthentType = AuthenticationTypes.Secure;
    }
    
    /// <summary>
    /// function that performs login task
    /// and welcomes user if they are verified
    /// </summary>
    public void Login()
    {      
      // now create the directory entry to establish connection
      using(DirectoryEntry deDirEntry = new DirectoryEntry(this.strDomain, 
                                                           this.strUser, 
                                                           this.strPass,
                                                           this.atAuthentType)) 

      {
        // if user is verified then it will welcome them 
        try
        {                 
          MessageBox.Show("Welcome to '" + deDirEntry.Name + "'");
          
          // TODO: add your specific tasks here
        }
        catch (Exception exp)
        {
          MessageBox.Show("Sorry, unable to verify your information");
        }
      }
    
    }
  }

Go to Contents

Points of Interest

One thing that was problematic was the way addressing worked. In Active Directory, users are allowed to pass in their name without utilizing the distinguished name format. If they were to try the same trick against Edirectory then it would fail right away.

Go to Contents

HOW-TO use this Demo

Authenticating against Edirectory

First, enter the user name. This is something the user needs to find out before proceeding with the next step. Use the ADSVW utility that was recommended to find out how the current user should be addressed. In this example, cn=userA,ou=rajibOU,o=rajibContext means there is an individual named userA belonging to organization unit rajibOU attempting to log in to the resources under rajibContext.

Figure 3.0 - User enters the distinguished name.

Second, enter the password for this particular user.

Figure 3.1 - User enters the password.

Third, enter the domain name or IP address that is applicable.

Figure 3.2 - User enters the IP address of the target server.

Fourth, choose either Active Directory or Edirectory.

Figure 3.2 - User selects the directory service.

Finally, click Login and it should produce the output as shown in figure 3.4.

Figure 3.4 - Show the outcome of user login attempt.

Authenticating against Active Directory

First, enter the user name.

Figure 3.5 - User enters the distinguished name.

Second, enter the password for this particular user.

Figure 3.6 - User enters the password.

Third, enter the domain name or IP address that is applicable.

Figure 3.7 - User enters the IP address of the target server.

Fourth, choose Active Directory.

Figure 3.8 - User selects the directory service.

Finally, click Login and it should produce the output as shown in figure 3.9.

Figure 3.9 - Shows the outcome of user login attempt.

Go to Contents

Conclusion

Well, this is my second article. I hope you found it useful and intuitive enough.

Go to Contents

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here