LDAP and SASL

[Amar]

I am a newbie with enterprise directories. I am trying to write an ASP.NET
application to fetch some data from my university LDAP enterprise directory.
There are 2 types of access allowed to the LDAP server. One is a anonymous
access and another is the access that exists mainly to give privileged
accounts access to person information that can otherwise not be publicly
viewed. These privileged accounts, called Y Services, are primarily used to
look up person data and authorize people on this data.

Now, i was able to use the anonymous access priviliges and view the data
from LDAP server. What i want to do is to use the Y services and view the
person information that cannot be accessed via the anonymous access. For
example i want to view the date of birth for the person which is available in
the Y Services access.

The university instructions say the following:

What you see in Y Services is dependent on how you bind (anonymous, simple,
SASL EXTERNAL) and the amount of privileges the bound user has. Connecting to
Y Services requires the use of TLS client certificate authentication, meaning
you must have a signed certificate from the uiniversity in order to connect.
Users bound anonymously can only search on ID and can only see the DN
(distinguished name) of any user. Users that have performed a SASL EXTERNAL
bind can only see those attributes they have been approved to see (for all
users), and only if the corresponding service is ACTIVE.

Now, i know that the TLS client certificate has been installed on my server
by my Sys admin. Please tell me the steps to do the bind and fetch the date
of birth for all people in department X.

Here is the anonymous bind code.

Dim deLdapConn As DirectoryEntry = New
DirectoryEntry("LDAP://directory.a.edu/dc=a,dc=edu")

Dim searcherLdap As New DirectorySearcher(deLdapConn)

Dim Results As SearchResultCollection

Dim propcoll As ResultPropertyCollection

Dim Result As SearchResult

Dim strKey As String

Dim obProp As Object

iNumProperties = 0



Try

searcherLdap.Filter = "(department=X)"

searcherLdap.PropertiesToLoad.Add("sn")

searcherLdap.PropertiesToLoad.Add("givenname")

searcherLdap.PropertiesToLoad.Add("telephonenumber")

searcherLdap.PropertiesToLoad.Add("uupid")

Results = searcherLdap.FindAll

iNumProperties = Results.Count()

ReDim arrFName(iNumProperties - 1)

ReDim arrLName(iNumProperties - 1)

ReDim arrPhone(iNumProperties - 1)

ReDim arrEmail(iNumProperties - 1)

ReDim arrDob(iNumProperties - 1)

iNumProperties = 0 ' Sets the start index for arrays

For Each Result In Results ' Starts the loop where result stores 1 record
and resultS stores all records

propcoll = Result.Properties ' Gets the all the properties (fieldnames) for
that record

For Each strKey In propcoll.PropertyNames ' Loop through each field name for
the selected record

iOnce = 0

For Each obProp In propcoll(strKey)

If strKey = "givenname" Then

arrFName(iNumProperties) = obProp

End If

If strKey = "sn" Then

arrLName(iNumProperties) = obProp


End If

If strKey = "telephonenumber" Then


arrPhone(iNumProperties) = obProp

End If

If strKey = "uupid" Then

arrEmail(iNumProperties) = obProp

End If

Next

Next

iNumProperties = iNumProperties + 1

Next

searcherLdap.Dispose()

searcherLdap = Nothing

deLdapConn.Close()

deLdapConn = Nothing

Catch Ex As Exception

Response.Write(Ex.ToString)

End Try



Please help me!! THANKS IN ADVANCE!!

 

[Joe Kaplan \(MVP - ADSI\)]

Did you try specifying the AuthenticationTypes.SecureSocketsLayer flag?
ADSI and the LDAP API will happily try to supply a client cert during the
LDAP SSL handshake if one is available and configured correctly.

Joe K.

 

[Amar]

Thanks Joe. I did try specifying the authentication types. But when i read
your reply, i do have reason to believe that there is some problem with the
client cert. Can you please tell us the steps to make our website use the
client certificate. Let me give you a brief status.
My system administrator requested 2 certificates from the university central
computing resources. One was a SSL server certificate and another was a
client certificate which was provided by the group that handles the
enterprise directory on campus.
My sys admin installed both those certificates on the webserver. When we run
the Certificates.msc console, we can see both the certificates listed under
the folder listing Certificates-Personal-Certificates-Both present here.
Now how do i make my website make use of these certificates? Do i have to
make some special changes to my website on IIS? I use IIS6.0 on windows 2003
server and use my laptop with VS.NET 2003 to work remotely on the server.
Thank you so much Joe. Really appreciate your help.

 

[Joe Kaplan \(MVP - ADSI\)]

Getting client certficates to work under ASP.NET is a bit of PITA because
the private key for the cert is usually stored in the user's profile and
that won't be loaded in the context of ASP.NET. The private key needs to be
installed in the machine store instead.

What I would suggest doing would be to export the certificate and private
key from your personal store and make sure it is installed in the machine
store.

Then, the next thing to do is to make sure that the account that is being
used to execute the request has permissions on the private key. This is
much trickier part as there are many different options for what that account
might be depending on how you have configured the web app. You can find out
the identity of the current thread with
System.Security.Principal.WindowsIdentity.GetCurrent().Name.

I think it would be best to try to make sure you can get the LDAP client
certificate thing working in a console app first before trying to move it
into an ASP.NET context though. There is no telling whether that part alone
will work correctly. Hopefully there won't be an issue, but you want to try
to isolate that from the web app while that is still an unknown.

Joe K.