9

I've not done any LDAP-based authentication before and also I've not worked with any LDAP server before. So I need a free online LDAP server to play with, I've found this https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

However my code is not working (or the info there has become invalid, I'm not sure), the result of authen is always false, here is my code:

path = "ldap.forumsys.com:389/dc=example,dc=com";
using (var pc = new PrincipalContext(ContextType.Domain, null, path))
{
  //this always returns false
  var ok = pc.ValidateCredentials("read-only-admin", "password");
}

Could you make it work on your side? Or at least please assert that the info there is invalid, in that case if possible please give me some other info (from other free LDAP servers for testing).

Hopeless
  • 4,397
  • 5
  • 37
  • 64
  • If anyone wants a test LDAP server try https://hub.docker.com/r/upekshejay/simple-ldap-test-server. It's a dockerized LDAP server based on ldapjs and supports both LDAP/LDAPS out of the box... – MarterJay Jun 30 '20 at 04:23
  • which one worked ? @hopeless – Rohit Kumar Oct 29 '22 at 16:23

3 Answers3

1

I don't think the server is Active Directory. You can refer to this question for how to connect to a LDAP server in C#.

Second Edit: Checked with MS people. They also suggest LdapConnection.

https://github.com/dotnet/corefx/issues/31809

Edit:

I can use DirectoryEntry to bind to the server. I am not sure why PrincipalContext does not work, but you can try this way.

Here is a sample code for validating user and password. Tested on .Net Core 2.1, with System.DirectoryServices package 4.5.0.

using System;
using System.DirectoryServices;

namespace LDAPTest
{
    class Program
    {
        static void Main(string[] args)
        {

            string ldapServer = "LDAP://ldap.forumsys.com:389/dc=example,dc=com";
            string userName = "cn=read-only-admin,dc=example,dc=com";
            string password = "password";

            var directoryEntry = new DirectoryEntry(ldapServer, userName, password, AuthenticationTypes.ServerBind);

            // Bind to server with admin. Real life should use a service user.
            object obj = directoryEntry.NativeObject;
            if (obj == null)
            {
                Console.WriteLine("Bind with admin failed!.");
                Environment.Exit(1);
            }
            else
            {
                Console.WriteLine("Bind with admin succeeded!");
            }

            // Search for the user first.
            DirectorySearcher searcher = new DirectorySearcher(directoryEntry);
            searcher.Filter = "(uid=riemann)";
            searcher.PropertiesToLoad.Add("*");
            SearchResult rc = searcher.FindOne();
            // First we should handle user not found.
            // To simplify, skip it and try to bind to the user.
            DirectoryEntry validator = new DirectoryEntry(ldapServer, "uid=riemann,dc=example,dc=com", password, AuthenticationTypes.ServerBind);
            if (validator.NativeObject.Equals(null))
            {
                Console.WriteLine("Cannot bind to user!");
            }
            else
            {
                Console.WriteLine("Bind with user succeeded!");
            }
        }
    }
}

Reference: https://www.c-sharpcorner.com/forums/ldap-authentication2

CSakura
  • 538
  • 1
  • 6
  • 17
  • I think Active Directory is just an implementation supporting LDAP, the online demo server may not be AD but that's not required at all, at least via the page from the link in my question, it shows that it supports LDAP for testing connection. The most common use case when working with LDAP is authentication and here I just need that simple thing done, everything seems to look right, no exception but the server seems not to work with the publicly shared credentials. – Hopeless Aug 14 '18 at 06:34
  • @Hopeless is correct. The issue here is that the LDAP server is invalid. – James Aug 14 '18 at 23:49
  • @James No, the LDAP server is working. I just tried with Apache Directory Studio and successfully connected to the server. – CSakura Aug 15 '18 at 17:02
  • Well when I tested on the 7th it was not working. Regardless, LDAP is a component to Active Directory. – James Aug 15 '18 at 22:17
  • Yes @James. A wild guess is that PrincipalContext has some special processes for Active Directory. I tried use it create binding but I always run into null reference. – CSakura Aug 16 '18 at 18:32
  • @DSakura after trying out a lot of different ways this piece of code works and I still don't know why and how?! One question though, If I'm connecting to an AD would the domain name work instead of server? – Rida Iftikhar Jul 18 '20 at 17:12
1

I figure it out too, and having no LDAP knowledge I´ve come up with this.

The problem in your solution may be first, you are using "ldap://" instead of "LDAP://", since it was something I came into when coding this. But I use System.DirectoryServices library.

I tested against this magnificent free to test LDAP server

var path = "LDAP://ldap.forumsys.com:389/dc=example,dc=com";
var user = $@"uid={username},dc=example,dc=com";
var pass = "password";

var directoryEntry = new DirectoryEntry(path, user, pass, AuthenticationTypes.None);

var searcher = new DirectorySearcher(directoryEntry);
searcher.PropertiesToLoad.Add("*");
var searchResult = searcher.FindOne();

I don´t understand exactly what all of this lines does, however, and lookign for a solution I found some recommendations.

on the path the "LDAP://" string should be on block mayus.

in the user, sometimes you need to use "cn=username-admin" for validating admins, be sure to also set Authentication type to ServerBind.

Ricker Silva
  • 1,137
  • 4
  • 17
  • 37
0

It seems as if read-only-admin is not a valid user. Try replacing:

var ok = pc.ValidateCredentials("read-only-admin", "password");

with

var ok = pc.ValidateCredentials("tesla", "password");

If that does not work, the other other issue would be on the LDAP's server side.

A good option regardless is to set up an Amazon Web Services EC2 server (it is free) and load Windows Server onto it. This gives you your own server and you learn how to set up an LDAP server (which is pretty easy).

James
  • 1,928
  • 3
  • 13
  • 30
  • I've already tried using `tesla` user as you suggested but still it's the same. There are more users shared in that page. – Hopeless Aug 14 '18 at 06:30