retrieve LDAP info within webservice

[Roland Wolters]

Hi,

Using wse2.0 a user logs on to my application. The webservice runs
within the domain, the user does not (not allways). So I use the
websrvice to read from the central database and to veryfy the
username/pasword. Doing that I want to return the full name for the
user.

To do this I wrote (well, partially find it on the internet ;-)) this
method:

public static String GetLDAPName(String userAccount)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
String account =userAccount.Replace(@"@xxx", "");
try
{
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + account + ")";
search.PropertiesToLoad.Add("displayName");
SearchResult result = search.FindOne();

if( result != null )
{
return result.Properties["displayname"][0].ToString();
}
else
{
return "Unknown User";
}
}
catch( Exception ex )
{
return ex.Message;
}
}

If I try it, it allways returns "an operations error occured". That's
good info isn't it!! NOT!

To find out if the method is wrong I also put it in a windows app and
testied it on another machine (no visual studio installed, just x-copy
deployed) in the same domein as the webserver. Without having to set any
trusts it ran fine!

What's wrong here? Is this a matter of setting permissions on the
webserver? And what would that be?


MAzzel,


Roland

 

[Dilip Krishnan]

Hello Roland,

Need to make sure that the account ASP.net runs under has been set up
as a user in LDAP
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

 

[Roland Wolters]

Hi,

The user running the webservice has not been set as a user in LDAP. The
admin is not going to change this.

Is there a way around this? I do have a valid authenticated
usernametoken. Can I use this to read the full name for that user? Maybe
use impersonation via this username token? how?


Roland

Hello Roland,

Need to make sure that the account ASP.net runs under has been set up
as a user in LDAP
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

Hi,

Using wse2.0 a user logs on to my application. The webservice runs
within the domain, the user does not (not allways). So I use the
websrvice to read from the central database and to veryfy the
username/pasword. Doing that I want to return the full name for the
user.

To do this I wrote (well, partially find it on the internet ;-)) this
method:

public static String GetLDAPName(String userAccount)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
String account =userAccount.Replace(@"@xxx", "");
try
{
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + account + ")";
search.PropertiesToLoad.Add("displayName");
SearchResult result = search.FindOne();
if( result != null )
{
return result.Properties["displayname"][0].ToString();
}
else
{
return "Unknown User";
}
}
catch( Exception ex )
{
return ex.Message;
}
}
If I try it, it allways returns "an operations error occured". That's
good info isn't it!! NOT!

To find out if the method is wrong I also put it in a windows app and
testied it on another machine (no visual studio installed, just x- copy
deployed) in the same domein as the webserver. Without having to set
any trusts it ran fine!

What's wrong here? Is this a matter of setting permissions on the
webserver? And what would that be?

MAzzel,

Roland

 

[HG]

Hello Roland

Maybe you're better off asking in the aspnet.security group. I know there
have been a lot discussion of the "multi-hop" issue, especially then
retrieving information from AD.

Not much help, but give it a try.

Regards
Henrik
http://websolver.blogspot.com

Hi,

The user running the webservice has not been set as a user in LDAP. The
admin is not going to change this.

Is there a way around this? I do have a valid authenticated
usernametoken. Can I use this to read the full name for that user? Maybe
use impersonation via this username token? how?


Roland

Hello Roland,

Need to make sure that the account ASP.net runs under has been set up
as a user in LDAP
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

Hi,

Using wse2.0 a user logs on to my application. The webservice runs
within the domain, the user does not (not allways). So I use the
websrvice to read from the central database and to veryfy the
username/pasword. Doing that I want to return the full name for the
user.

To do this I wrote (well, partially find it on the internet ;-)) this
method:

public static String GetLDAPName(String userAccount)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
String account =userAccount.Replace(@"@xxx", "");
try
{
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + account + ")";
search.PropertiesToLoad.Add("displayName");
SearchResult result = search.FindOne();
if( result != null )
{
return result.Properties["displayname"][0].ToString();
}
else
{
return "Unknown User";
}
}
catch( Exception ex )
{
return ex.Message;
}
}
If I try it, it allways returns "an operations error occured". That's
good info isn't it!! NOT!

To find out if the method is wrong I also put it in a windows app and
testied it on another machine (no visual studio installed, just x- copy
deployed) in the same domein as the webserver. Without having to set
any trusts it ran fine!

What's wrong here? Is this a matter of setting permissions on the
webserver? And what would that be?

MAzzel,

Roland

--

 

[Dilip Krishnan]

Hello Roland,

Hi,

The user running the webservice has not been set as a user in LDAP.
The admin is not going to change this.

Is there a way around this? I do have a valid authenticated
usernametoken. Can I use this to read the full name for that user?
Maybe use impersonation via this username token? how?

Yes you could setup the username token to authenticate against windows domain
(no custom username token manager). You will probably have to jump a few
hoops to get that user to impersonate as the web service identity however.
This is because of the subtle difference in transport based security and
soap based security, which we will not go into here. The easiest way to go
about this is use a surrogate user that is provisioned in LDAP and use that
account to connect always. That way you dont have to provision users for
each web server you have.

Roland

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

 

[Shaun]

I'm having this exact same problem. Roland have you found a solution to it?
Basically I can get info from when not using a trust connection (SSL). But
when I try to enable trust connection it just doesn't work. Tracing through
the code I can tell that it does "connect" to the ldap server but when it
tries to bind a user/pass to it, it gives an exception.

Another thing I noticed is that if I DON'T use it as a webservice and use it
as a class driver, everything works fine and dandy.

Does anyone have any solution? About the user impersonating as a webservice
"solution" above. Can you tell me what I have to do step by step?

Thanks