We're building an ASP.Net 3.5 application for a client that requires LDAP authentication of the user. I have a half-page of LDAP documentation from the client (it's a school), and a web full of examples on how to authenticate to LDAP. I've build something resembling this: http://support.microsoft.com/kb/316748
, which runs in our network.
I cannot get any examples to run in the client's network. I think the problem is in correctly building the Bind DN. Depending on how I code the authentication method, I either get "Inappropriate Authentication" or "Invalid Bind DN" back from LDAP.
Here is the advice from the client's IT documentation:
"Use 128 bit or better transport layer authentication when authenticating"
"Connect to ldap.clientdomain.edu"
"The bind DN is: 'uid=myID,ou=people,dc=cli
My main confusion is in building the "_path" string, as called for in Microsoft's code. I've seen many different styles on the web:
- with or without LDAP:// in front, or LDAPS://
- a basic url, like ldap.mydomain.com
- a basic url plus a DN-style string, like ldap.mydomain.com/dc=mydom
I also don't understand how the authentication works. I've seen examples in many places that call for modifying the anonymous web user to be a user with AD query rights, and using Identity Impersonate to adopt that identity for the application. Does that mean that I first have to authenticate to LDAP as a system user, then re-authenticate with my web user's credentials? Two round trips?? Or can I combine them into one? Or just use the web user's credentials, and skip the anonymous user?
All we want to do is verify that the user has domain credentials before using our app. We don't want to pull any information back from LDAP other than a "yes" or "no".
Am I the only one who finds this confusing? :-(
Thanks in advance for any help!