locked
LDAP Authentication: Setting application roles/permissions for users RRS feed

  • Question

  • User2132266920 posted

    Hi;

    I never used LDAP and don't know how it exactly works (besides the basics). If I want my application to use LDAP to allow users to authenticate in an ASP.NET application, how are the permissions/roles for the app (ie: different than the role/group of the LDAP) set?

    Should the LDAP users been set into a specific group (ie: name of the ASP.NET app) to control which users is considered as an administrator/manager/user (or any specific role needed by the application)?

    Let me know if you would need more info and/or clarification on my request :)
    Thank you!

    Friday, January 10, 2014 5:34 PM

Answers

  • User1508394307 posted

    Should the LDAP users been set into a specific group (ie: name of the ASP.NET app) to control which users is considered as an administrator/manager/user (or any specific role needed by the application)?

    It's up to your network administrator to decide it. You can use either existing groups/roles or ask to create specific groups for your application only. Usually it makes sense to use LDAP groups in case when membership management must be centralized (to be managed not by site admin but by IT or dedicated people), or groups/roles already exist and used by multiple corporate applications. If this is not the case, then it might make sense to keep LDAP authentication (login process) but use own site authorization without going to LDAP.

    If you want to know more, get some ADSI/LDAP tools, such as LDAP Browser and browse your directory.

    As for the code, you would need to check memberOf-property

    Dim Entry As New System.DirectoryServices.DirectoryEntry(ldapdomain, Username, Password)
    Dim Searcher As New System.DirectoryServices.DirectorySearcher(Entry)
    Searcher.SearchScope = DirectoryServices.SearchScope.Subtree
    Searcher.Filter = "(&(objectcategory=user)(SAMAccountName=" & Username & "))"
    Dim res As SearchResult = Searcher.FindOne
    
    For i = 0 To res.Properties("memberOf").Count() - 1
        Response.Write(res.Properties("memberOf")(i).ToString)
    Next

    It should print out full DN's for groups where the user is a member of.

    To get "user-friendly" name or other properties, use

    Dim res As SearchResult = Searcher.FindOne
    
    For i = 0 To res.Properties("memberOf").Count() - 1
        Dim de As DirectoryEntry = New DirectoryEntry("LDAP://" + res.Properties("memberOf")(i).ToString())
        Response.Write(de.Properties("name").Value.ToString())
    Next

    Hope this helps.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 10, 2014 7:14 PM

All replies

  • User1508394307 posted

    Should the LDAP users been set into a specific group (ie: name of the ASP.NET app) to control which users is considered as an administrator/manager/user (or any specific role needed by the application)?

    It's up to your network administrator to decide it. You can use either existing groups/roles or ask to create specific groups for your application only. Usually it makes sense to use LDAP groups in case when membership management must be centralized (to be managed not by site admin but by IT or dedicated people), or groups/roles already exist and used by multiple corporate applications. If this is not the case, then it might make sense to keep LDAP authentication (login process) but use own site authorization without going to LDAP.

    If you want to know more, get some ADSI/LDAP tools, such as LDAP Browser and browse your directory.

    As for the code, you would need to check memberOf-property

    Dim Entry As New System.DirectoryServices.DirectoryEntry(ldapdomain, Username, Password)
    Dim Searcher As New System.DirectoryServices.DirectorySearcher(Entry)
    Searcher.SearchScope = DirectoryServices.SearchScope.Subtree
    Searcher.Filter = "(&(objectcategory=user)(SAMAccountName=" & Username & "))"
    Dim res As SearchResult = Searcher.FindOne
    
    For i = 0 To res.Properties("memberOf").Count() - 1
        Response.Write(res.Properties("memberOf")(i).ToString)
    Next

    It should print out full DN's for groups where the user is a member of.

    To get "user-friendly" name or other properties, use

    Dim res As SearchResult = Searcher.FindOne
    
    For i = 0 To res.Properties("memberOf").Count() - 1
        Dim de As DirectoryEntry = New DirectoryEntry("LDAP://" + res.Properties("memberOf")(i).ToString())
        Response.Write(de.Properties("name").Value.ToString())
    Next

    Hope this helps.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 10, 2014 7:14 PM
  • User2132266920 posted

    Thank you for the fast and straight to the point reply smirnov!

    One more question though: When you say "it might make sense to keep LDAP authentication (login process) but use own site authorization without going to LDAP", how do you actually do the mapping between a LDAP user identity and the application's roles?

    Do you create a database (for example) table holding the identities of the LDAP users with the application's role or is the idea different?

    Thank you.

    Friday, January 10, 2014 7:34 PM
  • User1508394307 posted

    You can map LDAP user and application roles by userid (SAMAccountName, which is usually same as System.Web.HttpContext.Current.User.Identity.Name). In this case, you will need either table in the database or xml configuration file. It all depends on how many users, roles and what kind of authorization will be required.

    Example, your LDAP user is user1. If you will use Integrated Windows Authentication, you can call User.Identity.Name to get your current userid. In the database you can have a table 

    userid role
    --------------
    user1 admin
    user2 user

    Friday, January 10, 2014 7:58 PM
  • User2132266920 posted

    Thank you for the confirmation, much appreciated!

    Saturday, January 11, 2014 1:39 PM