locked
LDAP Connection String RRS feed

  • Question

  • User-131026575 posted
    I can never get this connection string to work, it keeps telling me that it is an invalid LDAP adspath.:
    LDAP://chestnut.net/CN=Users,DC=chestnut,DC=net

    Could this be a permissions thing, because I am not Domain Admin, but I do have Create/Delete Users and groups permission in Active Directory.[*-)]

    Tuesday, December 6, 2005 3:12 PM

All replies

  • User1354132231 posted
    You can always figure out the correct path by checking the RootDSE in the domain you are interested in:

    DirectoryEntry root = new DirectoryEntry("LDAP://RootDSE");

    using (root)
    {
        string dnc = root.Properties["defaultNamingContext"][0].ToString();
        string server = root.Properties["dnsHostName"][0].ToString();

        string adsPath = String.Format(
            "LDAP://{0}/{1}",
            server,
            dnc
            );
    }


    Run this from a local (non-ASP.NET) application to get your string value.  Then use that for your ASP.NET applications.
    Tuesday, December 6, 2005 4:11 PM
  • User-131026575 posted
    That gave me a path that didn't work either. It said DC=chestnut,DC=net. That exact path did not work (of course with LDAP added). It kept telling me that the server could not be found. Now if I input this code:

    Protected Sub LoginBtn_Click(ByVal sender As Object, ByVal e As System.EventArgs)
            Dim adPath As String = "LDAP://chestnut.net/CN=SR-Network_Team,OU=SR,DC=chestnut,DC=net" 'Path to your LDAP directory server
            Dim adAuth As FormsAuth.LdapAuthentication = New FormsAuth.LdapAuthentication(adPath)
            Try
                If (True = adAuth.IsAuthenticated(DomainBx.Text, UserNamBx.Text, PassBx.Text)) Then
                    Dim groups As String = adAuth.GetGroups()

                    'Create the ticket, and add the groups.
                    Dim isCookiePersistent As Boolean = chkPersist.Checked
                    Dim authTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
                         UserNamBx.Text, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups)

                    'Encrypt the ticket.
                    Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)

                    'Create a cookie, and then add the encrypted ticket to the cookie as data.
                    Dim authCookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)

                    If (isCookiePersistent = True) Then
                        authCookie.Expires = authTicket.Expiration
                    End If
                    'Add the cookie to the outgoing cookies collection.
                    Response.Cookies.Add(authCookie)

                    'You can redirect now.
                    Response.Redirect(FormsAuthentication.GetRedirectUrl(UserNamBx.Text, False))

                Else
                    errorLabel.Text = "Authentication did not succeed. Check user name and password."
                End If

            Catch ex As Exception
                errorLabel.Text = "Error authenticating. " & ex.Message
            End Try
        End Sub

    I am getting my errorLabel text "Authenication did not succeed. Check user name and password."
    Now I am assuming that my connectivity is not an issue now. The user credentials are correct, the domainbx.text=chestnut.net is correct. I am left to think that it is dealing with the cookies creation. Any suggestions?

    Tuesday, December 13, 2005 1:49 PM
  • User1354132231 posted
    If you are running this under the ASPNET account, you cannot use serverless binding.  It is dependant on the netlogon locator service.  It needs to run under domain credentials to know which domain to use a serverless bind against.

    You can rectify this in your code by adding the domain to the beginning of the AdsPath or by adding a specific controller:

    LDAP://<servername>/DC=chestnut,DC=net

    or

    LDAP://chestnut.net/DC=chestnut,DC=net


    As long as your DNS is not bunged up, it should resolve for you.

    Now, that only will fix the ability for you to get a proper SearchRoot for the DirectorySearcher.  I have no idea based on the code that you show if there is another issue that is causing the code to fail.  If you got this particular code from MSDN called "Forms Auth with Active Directory", it tends to have problems and is one of their more craptastic examples.

    Wednesday, December 14, 2005 9:58 AM
  • User-131026575 posted
    I did get it from MSDN. This is my adspath string:
    "LDAP://chestnut.net/CN=SR-Network_Team,OU=SR,DC=chestnut,DC=net"

    as you can see, I do have chestnut.net at the beginning. This SR-Network_Team is a group in our Active Directory that have members that I only want to have access to the site that I am creating and it is located in that OU. So there is were I want it to authenicate against in the active directory. As far as the rest of the code, I guess I will have to go line by line and figure it out.

    Wednesday, December 14, 2005 10:44 AM
  • User1354132231 posted
    Ah... I see the problem.  I should have asked what the SR-Nework_Team was.  I assumed it was a container you created.  That is definitely your problem.

    Groups do not hold other objects in AD.  They have attributes which point to other objects.  Containers like CN=Users or organizational units like OU=someOU hold objects.  You are searching the directory to see if a users exists.  You need to give it a location in your directory that is a parent to your users.  So just cut everything off until the DC= stuff and you would be good.

    What will happen is that it will bind and authenticate the user.  It is then up to you to check the user's group membership using User.IsInRole("SR-Network_Team") to see if they are in the group you want them to be.

    It is all dependant on you finding them first.

    Thursday, December 15, 2005 9:31 AM
  • User1005758432 posted
    Ah... I see the problem.  I should have asked what the SR-Nework_Team was.  I assumed it was a container you created.  That is definitely your problem.

    Groups do not hold other objects in AD.  They have attributes which point to other objects.  Containers like CN=Users or organizational units like OU=someOU hold objects.  You are searching the directory to see if a users exists.  You need to give it a location in your directory that is a parent to your users.  So just cut everything off until the DC= stuff and you would be good.

    What will happen is that it will bind and authenticate the user.  It is then up to you to check the user's group membership using User.IsInRole("SR-Network_Team") to see if they are in the group you want them to be.

    It is all dependant on you finding them first.



    Many thanks for this tip. I got mine to work after several days of searching on the asp.net forum and posting. But here's what I am wondering. Instead of checking the group as you suggested, is there a way to create roles and/or users that I want to allow to the page inside the web.config file? I will only allow a couple of users to this page so is there a way to specify which user can log into this page in the web.config file? Same thing with the roles, can I also specify the roles in the web.config file?

    Again, thanks for your help.
    Wednesday, July 12, 2006 2:57 PM
  • User1005758432 posted
    Okay, I just realized I got this error everytime I compiled.

    Message    1    Could not find schema information for the element 'http://schemas.microsoft.com/.NetConfiguration/v2.0:configuration'.    U:\web.config    10    2    U:\

    Here's my web.config
    <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
        <appSettings/>
        <connectionStrings>
            <add name="DBConnectionString" connectionString="Data Source=myServer\Tom;Initial Catalog=myDB;Persist Security Info=True;User ID=myUser;Password=myPass" providerName="System.Data.SqlClient"/>
            <add name="ADConnectionString" connectionString="LDAP://mySite.com/DC=mySite,DC=com" />
        </connectionStrings>
        <system.web>
       
            <compilation debug="true" strict="false" explicit="true">
                <assemblies>
                    <add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies></compilation>
            <pages>
                <namespaces>
                    <clear/>
                    <add namespace="System"/>
                    <add namespace="System.Collections"/>
                    <add namespace="System.Collections.Specialized"/>
                    <add namespace="System.Configuration"/>
                    <add namespace="System.Text"/>
                    <add namespace="System.Text.RegularExpressions"/>
                    <add namespace="System.Web"/>
                    <add namespace="System.Web.Caching"/>
                    <add namespace="System.Web.SessionState"/>
                    <add namespace="System.Web.Security"/>
                    <add namespace="System.Web.Profile"/>
                    <add namespace="System.Web.UI"/>
                    <add namespace="System.Web.UI.WebControls"/>
                    <add namespace="System.Web.UI.WebControls.WebParts"/>
                    <add namespace="System.Web.UI.HtmlControls"/>
                </namespaces>
            </pages>
            <authentication mode="Forms">
                <forms name=".ADAuthCookie" timeout="10" loginUrl="Admin/Login.aspx"/>
            </authentication>
            <authorization>
                <deny users="?" />
                <allow users="*" />
            </authorization>
            <membership defaultProvider="ActiveDirectoryMembershipProvider">
                <providers>
                    <add
                      name="ActiveDirectoryMembershipProvider"
                      type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,
                Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                      connectionStringName="ADConnectionString" />
                </providers>
            </membership>
    <customErrors mode="Off"/>
        </system.web>
    </configuration>

    The page works fine under a web browser but I kept getting this error  when building the page. Help is appreciated.

    Wednesday, July 12, 2006 4:41 PM
  • User1354132231 posted
    Make sure you have selected ASP.NET 2.0 in your IIS MMC as the version of ASP.NET to use.  It is likely that you have 1.1 selected now.  You should see an ASP.NET tab there in the properties where you can set it.

    As for declarative security in your web.config - there certainly is a way to do what you are asking.  Look up the <location> tag as well as the <authorization> and <allow>, <deny> tags.  I know there are a few samples on MSDN as well as the Security forum here.
    Wednesday, July 12, 2006 5:53 PM
  • User1005758432 posted
    Thanks for the response. Yes, I'm positive that we are using ASP.NET 2.0. The error I mentioned only occurs when I build the page. The page works fine when viewing through the browser. So I'm not sure where the cause is since I already am using ASP.NET 2.0.

    Where do I look up all the tags you mentioned?

    Thursday, July 13, 2006 8:49 AM
  • User1354132231 posted
    You can find the tag starting here.  Check to make sure you web.config is declaring the right version of the schema it is using.  MS has gone through a few iterations with the betas.  I am not sure what the right one would be, but look around and see if you don't have either old tag names or old schema namespace.

    Thursday, July 13, 2006 1:26 PM
  • User1314933508 posted

    Thanks dunnry. This helped a lot. Our users are all in OU's and could not for the life of me figure out how to authenticate the users. Removed the CN=Users bit and it worked fine.

    Thursday, November 6, 2008 4:53 AM
  • User-319574463 posted

     >Thanks dunnry. This helped a lot.

    Please mark Dunry's answer as answering your question.

    Saturday, November 8, 2008 6:54 AM