This article explains how to authenticate a user over LDAPS using the
System.DirectoryServices.Protocols.LdapConnection class, performing custom certificate validation.
Recently, I ran into trouble using
System.DirectoryServices.DirectoryEntry to connect to a Novell eDirectory server because the certificate was self-signed. When run in an ASP.NET application, the machine-level certificate store was not examined. So, even though the self-signed certificate was in the trusted store,
DirectoryEntry was still refusing to establish a connection.
LdapConnection class is a better choice for this situation, as it allows the user to validate the certificate manually. Note that the
DirectoryEntry approach works fine with a trusted self-signed certificate when run in a Windows Forms application. A good example of using
DirectoryEntry to connect to eDirectory can be found here.
Using the code
The example uses a
Login control for simplicity. I recommend that in the "real world" you create a custom
MembershipProvider. The following example code was used to connect to a Novell eDirectory server over secure LDAP. However, the code should work fine with other directory providers as long as the correct server/port/root DN is used.
Also remember to omit the
con.SessionOptions.SecureSocketLayer = true line if you aren't using LDAPS. However, if you aren't using LDAPS you might as well use
Connecting and authenticating
First, we set up our
LdapConnection class. We specify the address and port of the server that we will be connecting over SSL, set up the certificate callback (more on that later) and provide the default credentials for authentication.
This example uses eDirectory's "contextless login" feature, so blank credentials are allowed. Depending on your LDAP server, you may need to specify credentials to search the directory. Also note that if no port is specified, then the default value of 389 will be used.
LdapConnection con = new LdapConnection(new LdapDirectoryIdentifier(
con.SessionOptions.SecureSocketLayer = true;
con.Credential = new NetworkCredential(String.Empty, String.Empty);
con.AuthType = AuthType.Basic;
Now we bind the initial connection. If
con.Bind() executes without throwing an exception, the server and credentials specified are valid.
The next step is to search for the user's fully qualified, distinguished name. This is a necessary step because when users provide their usernames, they don't provide the full context of their names in the directory; i.e.
jlennon is provided instead of
First, we prepare the
SearchRequest object. We specify the root DN, the search filter and the search scope. Then we send the request.
SearchRequest request = new SearchRequest(
"(&(objectClass=Person)(uid=" + Login1.UserName + "))",
SearchResponse response = (SearchResponse)con.SendRequest(request);
If we get this far without an exception being thrown, we know that the root DN and search filter specified are valid. If either is invalid, a
DirectoryOperationException will be thrown.
Now we can extract the DN from the search result. If you want to provide a "no such username" message, you can check that
response.Entries.Count > 0. An
ArgumentOutOfRangeException will be thrown on the following line if the Username provided does not exist.
SearchResultEntry entry = response.Entries;
string dn = entry.DistinguishedName;
Now that we have the full DN for the user, we can check if the given password is valid. We set a new
NetworkConnection on the
LdapConnection object and re-bind.
con.Bind() will throw
LdapException if the password provided is invalid.
con.Credential = new NetworkCredential(dn, Login1.Password);
If we get this far, we have successfully authenticated! We can now use a
SearchRequest to search for group membership, etc. However, that's out of scope for this example.
This should need no explanation. We simply load the certificate file from disk and compare it to the certificate presented by the server. Production code should handle exceptions associated with reading the certificate: File not found, access denied, etc. If you really trust the server, you could omit all of this and just
return true. ;)
public static bool ServerCallback(
LdapConnection connection, X509Certificate certificate)
X509Certificate expectedCert =
catch (Exception ex)
- June 6 2007 - Initial version