?
Solved

Authenticating a user using LDAP in ASP

Posted on 2003-03-20
2
Medium Priority
?
648 Views
Last Modified: 2013-12-04
I am attempting to authenticate a user in ASP using LDAP on an Intranet.
The Active Directory Server is Windows 2000, and the IIS box is Windows 2000.

In the ASP app, I check to see if they have a certain cookie. If the cookie doesn't exist, I redirect them to a login page and have them enter their credentials which then get stored in the cookie. If the cookie does exist it will contain their username and password (encrypted). Great! Now I can query LDAP with their credentials to see if they are members of a certain group.
The problem I am facing is:

In the cookie, the username is stored as the sAMAccountName. In other words, 'nbrewer'. Also, the cookie does not store their 'Distinguished Name' A.K.A. DN. An example of a DN is something like:

"CN=Neil Brewer,CN=Developer,OU=Administration,DC=lc,DC=local"

This means Neil Brewer is a member of the container 'Developer' in the Organizational Unit 'Administration' in the lc.local domain.

However, at this point I only have the sAMAccountName, and to authenticate, I need th DN of the user. MS pointed me to the following code to authenticate a user:

'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Dim dso As IADsOpenDSObject
Dim obj1, obj2 As IADs
Dim szUsername As String
Dim szPassword As String

Set dso = GetObject("LDAP:")

' Insert code securely.

' Bind using full credentials.
Set obj1 = dso.OpenDSObject( _
    "LDAP://server1/CN=Dept1,DC=Fabrikam,DC=com", _
    szUsername, _
    szPassword, _
    ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)

' Bind to another object with the default credentials.
Set obj2 = GetObject("LDAP://server1/CN=Dept2,DC=Fabrikam,DC=com")
'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Found at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/iadsopendsobject_opendsobject.asp

That's well and good, but it requires the DN, which I don't yet have. So they then pointed me to:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/iadsnametranslate.asp

Which has the following code:

'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
<%@ Language=VBScript %>
<html>
<body>
<%
  Dim nto
  const ADS_NAME_INITTYPE_SERVER = 2
  const ADS_NAME_TYPE_1779 = 1
  const ADS_NAME_TYPE_NT4 = 3
 
  server = "aDsServer"
  user   = "jeffsmith"
  dom    = "Fabrikam"
  passwd = "top secret"
  dn = "CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM"
 
  Set nto = Server.CreateObject("NameTranslate")
  nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd
'  nto.Set ADS_NAME_TYPE_1779, dn
  nto.Set ADS_NAME_TYPE_NT4, dn ' I was told by MS to switch this
'  result = nto.Get(ADS_NAME_TYPE_NT4)
  result = nto.Get(ADS_NAME_TYPE_1779) ' I was told by MS to switch this.
 
  Response.Write "<p>Translated name: " & result
 
%>
</body>
</html>
'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Result SHOULD now hold the DN. But, I get an error everytime I run that. Probably a permissions thing, I'll address that later. Also note though, that example requires you enter the DN in the code.
I don't know the DN! That code is suppose to tell me the DN!
What do I need to change there to have it return the proper DN?
Once I have the proper DN, I can query LDAP using the first snippet of code and properly authenticate the user.

So, the question boils down to:
If I have the sAMAccountName, how do I get the DN?
If I have the DN, how do I get the sAMAccountName?

(You may be wondering why MS didn't fully answer all my questions and get this working. Twas because I kept pushing him for more and more answers. By the time we got this far, I had squeezed about 5 support calls into one and he cut me off.)

Also, the tech guy gave me a great tool to browse theough LDAP. Similar to ADSIEdit but better. It's called 'Active Directory Browser' and the exe name is 'AdsVw.exe'. Search for it on Google, or let me know and I can email it to you.

Thanks in advance for any help,
Neil Brewer


0
Comment
Question by:L00M
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 6

Accepted Solution

by:
DominicCronin earned 600 total points
ID: 8186513
Actually, the most useful ldap tool from MS is LDP, which ships on the Win2K CD but is only installed if you install the resource kit. It hides in the menus as Active Directory Admin tool - or some such nonsense, but it's a generic LDAP browser, in fact a very thin GUI wrapper over the LDAP API.

If you're in any doubt as to whether your problem is to do with permissions, then use this or another LDAP browser to bind with the credentials you are going to use, and navigate through the tree. If you don't have permissions, you won't see the entry.

Now to your main problem. You are not alone. Everyone has to look up the user's DN first. All you need is a subtree search based at the root of the tree where all your users are. Let's say "dc=local" in this case, although maybe you can choose a smaller tree.

You should use the ADSI OLEDB provider. This means that you can create an ADO Command object that will accept a search string and return a recordset. Once you have it, you'll find the DN in the 'adspath' field, although you'll have to write a little function to strip off some additional junk that MS adds.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/using_an_activex_data_object_to_bind_to_adsi_providers.asp

shows briefly how to set up a connection object that provides this functionality. Then you just need to create a command object and set this connection as its active connection. After that you set the CommandText to your search query and execute.

For the search queries, you can choose between an SQL-like dialect or an LDAP-like one. Personally I prefer the ldap style.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/using_an_activex_data_object_to_bind_to_adsi_providers.asp

gives the details

If you take their example, you could adapt it to search for a samAccountName, so instead of:
"<LDAP://DC=Fabrikam,DC=com>;(objectClass=*);AdsPath, cn;subTree"

you'd end up with something more like:

[Searching for Mickey Mouse]

"<LDAP://dc=local>;(samAccountName=MMouse);AdsPath;subTree"

The query can also include the server if you need that too.

Good luck - I know how frustrating this stuff can be, and the MS documentation really suffers from not having a good "how-to" on this subject.
0
 
LVL 11

Author Comment

by:L00M
ID: 8195436
Thank you for the help. You're correct, the documentation could certainly be better. That being said, thank you very much for pointing me in the right direction. I still have a ways to go, but this helps me immensely.

Have a great day,
Neil Brewer
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses
Course of the Month12 days, 17 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question