How to authenticate to iPlanet server using LDAPS?

[JohnnyO''''Clock]

I've been trying to build an LDAP provider in ASP.Net 2.0. I know the basic
steps are to search the directory for user object, grab the full user object
context and bind to it securely, and then attempt to authenticate by sending
the username and password. I can't find any documentation on using LDAPS for
authenticating to a non-microsoft ldap server. Here's a console code snippet
I've been using which works and enumerates a user's properties:

using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;

namespace iPlanet
{
class Program
{


static void Main(string[] args)
{
string adsPath = "LDAP://ldap.school.edu/dc=school,dc=edu";

//Explicitly create our SearchRoot
DirectoryEntry searchRoot = new DirectoryEntry(
adsPath,
null,
null,
AuthenticationTypes.None
);
//AuthenticationTypes.None - works
//AuthenticationTypes.Anonymous - doesn't work
//AuthenticationTypes.Secure - doesn't work
//AuthenticationTypes.SecureSocketsLayer - doesn't work
//AuthenticationTypes.Encryption - doesn't work
//AuthenticationTypes.ReadonlyServer - works
//AuthenticationTypes.ServerBind - works
//AuthenticationTypes.Signing - works
//AuthenticationTypes.Sealing - works
//AuthenticationTypes.FastBind - works
//AuthenticationTypes.Delegation - works

using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
"(uid=jdoe)" //user being searched for
);

using (SearchResultCollection src = ds.FindAll())
{
//Console.WriteLine("Returning {0}", src.Count);

foreach (SearchResult sr in src)
{
foreach (string prop in sr.Properties.PropertyNames)
{
foreach (object o in sr.Properties[prop])
{
Console.WriteLine("{0}: {1}", prop, o);
}
}
}
}
}
}
}
}

The problem I have is when I've tried to bind to the LDAP server. It errors
out with the message that the server may not be operational. What the correct
authentication type for an iPlanet ldao server?

 

[Joe Kaplan \(MVP - ADSI\)]

You need to be using AuthenticationTypes.SecureSocketsLayer. If that
doesn't work, there is probably an issue with the local LDAP client
accepting the certificate from the server. There are 3 main reasons this
fail:
- The DNS name in your binding string doesn't match the DNS name in the
cert
- The cert is expired or not yet valid
- The local client does not trust the server's certificate

Essentially, these are the same reasons you get a certificate warning dialog
in IE, except that LDAP always fails on these conditions.

The System event log may also contain errors from Schannel that tell you
what the problem was. If not, you can also bump up the logging level:
http://support.microsoft.com/?id=260729

Since you are using .NET 2.0 also, you might consider using
System.DirectoryServices.Protocols for this purpose. It is lower level and
has the benefit of eliminating all of the ADSI layer from the LDAP calls.

Joe K.

I've been trying to build an LDAP provider in ASP.Net 2.0. I know the
basic
steps are to search the directory for user object, grab the full user
object
context and bind to it securely, and then attempt to authenticate by
sending
the username and password. I can't find any documentation on using LDAPS
for
authenticating to a non-microsoft ldap server. Here's a console code
snippet
I've been using which works and enumerates a user's properties:

using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;

namespace iPlanet
{
class Program
{


static void Main(string[] args)
{
string adsPath = "LDAP://ldap.school.edu/dc=school,dc=edu";

//Explicitly create our SearchRoot
DirectoryEntry searchRoot = new DirectoryEntry(
adsPath,
null,
null,
AuthenticationTypes.None
);
//AuthenticationTypes.None - works
//AuthenticationTypes.Anonymous - doesn't work
//AuthenticationTypes.Secure - doesn't work
//AuthenticationTypes.SecureSocketsLayer - doesn't work
//AuthenticationTypes.Encryption - doesn't work
//AuthenticationTypes.ReadonlyServer - works
//AuthenticationTypes.ServerBind - works
//AuthenticationTypes.Signing - works
//AuthenticationTypes.Sealing - works
//AuthenticationTypes.FastBind - works
//AuthenticationTypes.Delegation - works

using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
"(uid=jdoe)" //user being searched for
);

using (SearchResultCollection src = ds.FindAll())
{
//Console.WriteLine("Returning {0}", src.Count);

foreach (SearchResult sr in src)
{
foreach (string prop in
sr.Properties.PropertyNames)
{
foreach (object o in sr.Properties[prop])
{
Console.WriteLine("{0}: {1}", prop, o);
}
}
}
}
}
}
}
}

The problem I have is when I've tried to bind to the LDAP server. It
errors
out with the message that the server may not be operational. What the
correct
authentication type for an iPlanet ldao server?

 

[Joe Kaplan \(MVP - ADSI\)]

Do you get any Schannel errors in the System event log on the web server
when it tries to make the LDAPS connection to iPlanet? Normally, if there
is a problem with the SSL handshake, it will be reported there.

Joe K.

Hi,

I am stuck with similar problem that of yours. Let me know if you were
able to find a solution.

My code in asp.net works fine when using 389 but not with 636.
I have installed the certificate and tried.

I will be glad if you can help me out.

Sushil

*I've been trying to build an LDAP provider in ASP.Net 2.0. I know
the basic
steps are to search the directory for user object, grab the full user
object
context and bind to it securely, and then attempt to authenticate by
sending
the username and password. I can't find any documentation on using
LDAPS for
authenticating to a non-microsoft ldap server. Here's a console code
snippet
I've been using which works and enumerates a user's properties:

using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;

namespace iPlanet
{
class Program
{


static void Main(string[] args)
{
string adsPath = "LDAP://ldap.school.edu/dc=school,dc=edu";

//Explicitly create our SearchRoot
DirectoryEntry searchRoot = new DirectoryEntry(
adsPath,
null,
null,
AuthenticationTypes.None
);
//AuthenticationTypes.None - works
//AuthenticationTypes.Anonymous - doesn't work
//AuthenticationTypes.Secure - doesn't work
//AuthenticationTypes.SecureSocketsLayer - doesn't work
//AuthenticationTypes.Encryption - doesn't work
//AuthenticationTypes.ReadonlyServer - works
//AuthenticationTypes.ServerBind - works
//AuthenticationTypes.Signing - works
//AuthenticationTypes.Sealing - works
//AuthenticationTypes.FastBind - works
//AuthenticationTypes.Delegation - works

using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
"(uid=jdoe)" //user being searched for
);

using (SearchResultCollection src = ds.FindAll())
{
//Console.WriteLine("Returning {0}", src.Count);

foreach (SearchResult sr in src)
{
foreach (string prop in sr.Properties.PropertyNames)
{
foreach (object o in sr.Properties[prop])
{
Console.WriteLine("{0}: {1}", prop, o);
}
}
}
}
}
}
}
}

The problem I have is when I've tried to bind to the LDAP server. It
errors
out with the message that the server may not be operational. What the
correct
authentication type for an iPlanet ldao server? *