4

I am working on a website which is used to reset password of LDAP users. I am not able to make connection with server over ssl. I tried various code and authentication types.

This is what used on server for connectivity with LDAP on which website is hosted. I also tested it with both ssl ports. 636 and 3269.

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity?, NEGOTIATE (1158)); v.3

{NtAuthIdentity?: User='_ldapuser'; Pwd='unavailable';; domain = 'SJTPNOC.DOMAIN'}

I am using following code in website

LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier("SJTP.DOMAIN",636));

connection.SessionOptions.ProtocolVersion = 3;

connection.AuthType = AuthType.Basic;

connection.Credential = new NetworkCredential("CN=user,CN=Users,DC=SJTPNOC,DC=DOMAIN", "password","CN=Users,DC=SJTPNOC,DC=DOMAIN");

connection.SessionOptions.SecureSocketLayer=true;

connection.Bind();

Getting exception "LDAP server is unavailable". I tried that code with 389 port and without ssl and it's working fine.

Please let me know what is wrong.

halfer
  • 19,824
  • 17
  • 99
  • 186
mayank.karki
  • 750
  • 1
  • 9
  • 34

3 Answers3

5

If you only want encryption and do not need strong authentication of the ldap server, maybe you should add :

connection.SessionOptions.VerifyServerCertificate =
                new VerifyServerCertificateCallback((con, cer) => true);
jbl
  • 15,179
  • 3
  • 34
  • 101
  • Now I have to reset user password – mayank.karki Sep 28 '12 at 06:50
  • I used replace operation on userPassword but getting error "The server cannot handle directory requests.". – mayank.karki Sep 28 '12 at 06:53
  • @mayank.karki you should close this question and give a detailed description of your new problem in a new question. – jbl Sep 28 '12 at 08:08
  • Link of my new question is http://stackoverflow.com/questions/12635484 /reset-ldap-user-password-error-the-server-cannot-handle-directory-requests Thanks for your support. – mayank.karki Sep 28 '12 at 08:32
  • Hi jbl, I have one more query.This is the link http://stackoverflow.com/questions/12908745/find-out-user-cannot-change-password-value-of-ldap .Thanks for replying. – mayank.karki Oct 16 '12 at 06:30
  • Hi jbl I am stuck some where and need your help (http://stackoverflow.com/questions/13437986/property-value-returned-by-directorysearcher-and-searchresponse-are-of-different) – mayank.karki Nov 20 '12 at 06:23
4

I also had a problem connecting via SSL, but not over plaintext. I did some network sniffing and was able to see that although I set the LdapConnection.AuthType to Basic, my client machine was finding and using client certificates for the SSL handshake. The certificate it found (don't know if I should be mad at VisualStudio or the .NET LdapConnection class) was a cheesy self-signed cert that the LDAP server did not like. It returned a very secure "server unavailable" error; good for it. So there is a client certificate resolver delegate in the SessionOptions I needed to provide with a very simple implementation:

public static X509Certificate ClientCertFinder(LdapConnection connection,
                                                byte[][] trustedCAs)
{
   return null;
}

Then, set the SessionOptions QueryClientCertificateCallback delegate to use the stub like this:

connection.SessionOptions.QueryClientCertificate =
      new QueryClientCertificateCallback(ClientCertFinder);

You could probably even make this a oneliner as in @jbl's answer for the validation callback, but maybe some day I'll want to do client-certificate-authentication, and having that stub serves as a reminder for how to do it.

Greg
  • 906
  • 1
  • 9
  • 22
1

Below code worked for me to connect to AD using LDAPS

ldapConnection = new LdapConnection(new LdapDirectoryIdentifier("your.LDAPSserver.com", 636));

var networkCredential = new NetworkCredential("UsernameWithoutDomain", "yourPassword", "AD.yourDOMAIN.com");
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.SessionOptions.ProtocolVersion = 3;
ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
ldapConnection.AuthType = AuthType.Negotiate;
ldapConnection.Bind(networkCredential);
        
SearchRequest Srchrequest = new SearchRequest("CN=Users,DC=AD,DC=YOURCOMPANY,DC=COM", "mail=useremail@company.com", System.DirectoryServices.Protocols.SearchScope.Subtree);
SearchResponse SrchResponse = (SearchResponse)ldapConnection.SendRequest(Srchrequest);

// ServerCallback

private static bool ServerCallback(LdapConnection connection, X509Certificate certificate)
{
    return true;
}

Surprisingly it is also working when I am not using networkCredential and just using ldapConnection.Bind(); Seems it is using my local credentials as default on my local machine.

Himalaya Garg
  • 1,525
  • 18
  • 23