Ldap user authentication not working for locked or disabled account

Question

0.00/5 (No votes)

See more:

Hi,
I am working on a website to manage ldap. I am stuck in a situation, when I am trying to authenticate user with account locked or disabled it fails.
What I want to do is first authenticate user after that show message that account locked or disabled.

I am coding like this

C#

LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier("SJTPNOC.com", 636));
connection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((con, cer) => true);
connection.SessionOptions.ProtocolVersion = 3;        
connection.AuthType = AuthType.Basic;       
connection.SessionOptions.SecureSocketLayer = true;
connection.Timeout = new TimeSpan(0, 0, 10);   
connection.Credential = new NetworkCredential(username, password);
using (connection){
connection.Bind();
}

Posted 18-Dec-12 2:20am

mayankkarki

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

**Zoltán Zörgő** · Answer 1 · 2012-12-18T02:31:00

Solution 1

This won't work. Binding to LDAP server implies a user that can establish connection to the server. A disabled or locked user by definition can't. You will need to use a service account to get into ldap and do the query.

Posted 18-Dec-12 2:31am

Zoltán Zörgő

Comments

mayankkarki 18-Dec-12 8:32am

Thanks
I have a admin account but with that I can only check username existence but not user password

Zoltán Zörgő 18-Dec-12 8:37am

Of course. You need to separate these two: with the service account you check if it is locked or disabled, with the user name and password you can validate credentials.

mayankkarki 18-Dec-12 9:21am

Its not working for change password at next logon also. So without user authentication how I can allow user to change password.

Zoltán Zörgő 18-Dec-12 9:24am

Ok, let's start from the beginning: what do you want to accomplish exactly? Not how, what?

mayankkarki 18-Dec-12 9:27am

I am working on a website that allow user to change password. There is a login page in which user enters username and password, and I perform authentication.

Zoltán Zörgő 18-Dec-12 9:39am

Than proceed this way:
- you get the user name and password on the login page
- you check with the service account if the user is locked or disabled
- if it is disabled, you probably don't want to allow to continue
- if it is locked, you can use the service account to unlock it (be aware, that you either grant special role to the service account, or you give high privileges, thus you need to be really carefull)
- than you user the username and the old and new password to find the user and change the password

But will be differences between ldap implementations. If you have ActiveDirectory, you could follow this approach: http://sanjivblog.wordpress.com/2011/02/24/how-to-change-window-account-password-using-c/

mayankkarki 18-Dec-12 9:41am

Now problem is same that I can only check username. How would I know that password is also correct.

Zoltán Zörgő 18-Dec-12 9:46am

It won't change password to the new one if the old one is not correct.

Zoltán Zörgő 18-Dec-12 13:04pm

I understand that you want this, but this is not how it is built. Actually you can try authenticating with a locked or disabled account, but not with ldap bind. If you have AD, than don't use LDAP for such things.

mayankkarki 19-Dec-12 0:25am

Can you tell me the the way I can do this.

Zoltán Zörgő 19-Dec-12 2:59am

Look around System.DirectoryServices and System.DirectoryServices.AccountManagement namespaces. And check the link I have already given, and this one: http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C

mayankkarki 18-Dec-12 11:02am

Its become more critical in case of user must change password at next logon.

mayankkarki 6-Jan-13 11:16am

@jbl Hi can you help me

Zoltán Zörgő 6-Jan-13 12:11pm

Depend. But if it is an other topic, post a new question.

mayankkarki 6-Jan-13 12:16pm

Help me on this. "must change password at next log in". I cannot allow user to change password without authentication.

Zoltán Zörgő 6-Jan-13 12:23pm

Of course not. This is why it is a single-step process: you need both the old and the new password in one step. Again: http://sanjivblog.wordpress.com/2011/02/24/how-to-change-window-account-password-using-c/

mayankkarki 6-Jan-13 12:26pm

I used LdapConnection class and everything is complete. So now I cannot switch to PrincipalContext.

Zoltán Zörgő 6-Jan-13 14:48pm

Well, LDAP on it's own is not for complex authentication tasks :(