codyskidmore Absent Member.
Absent Member.
1844 views

Connect to eDir with app credentials. Then authenticate user

I need to connect to eDirectory using .NET/C#. Then authenticate users from within the context of the app credential's permissions. I tried Novell.Directory.Ldap.


using (var cn = new LdapConnection())
{
//try
//{

cn.Connect(server, int.Parse(port));
cn.Bind(appUserDn, appPassword); //throws exception if invalid credentials..

/// Verify user credentials next??

//cn.ValdiateUser(userDn, userPassword); // This is what I want to do as an example..

// This does not validate the user. It only validates the password, so no locked account check.. etc.
var passwordAttr = new LdapAttribute("userPassword", userPassword);
var isValid = cn.Compare(userDn, passwordAttr);
}
}

Examples I found require passing the individual's credentials to cn.Bind() instead, but as I stated, I must use the app credentials binding instead. Does anyone know what I am doing wrong?
Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Connect to eDir with app credentials. Then authenticate user

First, why would you want to use one set of credentials to prove another
set of credentials? There are reasons, but I'm curious what yours are, ;
it is much more-common and usually better to just bind as the user itself
as it lets you get advantage of a bind as expected (such as intruder
detection), and does not require any special setup of your "proxy" user
with rights to compare another user's password.

The way you can do this with LDAP is to do an LDAP "compare" operation
with the userPassword attribute; basically you specify the DN of the
target user, the attribute 'userPassword' and the value of whatever
password value, and LDAP will return TRUE or FALSE indicating success or
failure. This is not a bind, though, and behaves differently on the backend.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
codyskidmore Absent Member.
Absent Member.

Re: Connect to eDir with app credentials. Then authenticate

My customer requires we use application credentials for connecting to eDirectory. Rights on the application account are restricted (just a guess but probability restricted to read only access to a specific OU???).

As far as I know there is no way to open a connection under app credentials and then validate user credentials but the customer insists this IS the way eDirectory works.

If you look closely at the example I provided, you can see I actually do use Compare(). However this only verifies the user's password. It does not check to see if the account is locked or if there are other problems.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Connect to eDir with app credentials. Then authenticate user

eDirectory definitely CAN work this way, but again it is not the norm, and
it means you almost certainly need additional rights for your proxy user
over the users whose passwords will be compared.

Using ldapcompare from the command line (part of the OpenLDAP package by
default I believe) showed this worked on my system:


LDAPTLS_REQCERT=allow ldapcompare -H ldaps://mybox.goes.here:636 -D
cn=admin,dc=sa,dc=system -w 'adminpassword'
cn=test00,dc=user,o=novell,dc=org 'userPassword:userPwdValueHere'


See if you can get the command above, with corrected users and passwords,
working for you. If that works, then you're back to fixing the code you
are being asked to create which will basically do the same thing.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
codyskidmore Absent Member.
Absent Member.

Re: Connect to eDir with app credentials. Then authenticate

That script compares a user's password but does not validate other concerns such as a locked account.

In any case, our client got it wrong. The correct way to validate credentials is to bind the connection using an individual's credentials.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Connect to eDir with app credentials. Then authenticate user

We agree on that for sure. Hopefully they can implement that way and
everything will be fine going forward.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Connect to eDir with app credentials. Then authenticate user

On 03.05.17 20:24, codyskidmore wrote:
>
> That script compares a user's password but does not validate other
> concerns such as a locked account.
>
> In any case, our client got it wrong. The correct way to validate
> credentials is to bind the connection using an individual's credentials.


You would have to read the attributes from the userObject (not
password), and then manually compare them... There is nothing in the
LDAP library to do this for you.

You cannot read the userPassword, as you already do, you can compare it
You can get the Universal userPassword by using nmas methods (don't know
how to do this with C# - but can provide an example in Java).



Casper

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Connect to eDir with app credentials. Then authenticate user

On 05.07.2017 15:22, Casper Pedersen wrote:
> On 03.05.17 20:24, codyskidmore wrote:
>>
>> That script compares a user's password but does not validate other
>> concerns such as a locked account.
>>
>> In any case, our client got it wrong. The correct way to validate
>> credentials is to bind the connection using an individual's credentials.

>
> You would have to read the attributes from the userObject (not
> password), and then manually compare them... There is nothing in the
> LDAP library to do this for you.
>
> You cannot read the userPassword, as you already do, you can compare it
> You can get the Universal userPassword by using nmas methods (don't know
> how to do this with C# - but can provide an example in Java).


For NMAS LDAP C Password Management Functions see
https://www.novell.com/documentation/developer/nmas/nmas_enu/data/nmas_enu.html#bsejr9p

--
Norbert
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Connect to eDir with app credentials. Then authenticate user

On 05.07.17 16:26, Norbert Klasen wrote:
> On 05.07.2017 15:22, Casper Pedersen wrote:
>> On 03.05.17 20:24, codyskidmore wrote:
>>>
>>> That script compares a user's password but does not validate other
>>> concerns such as a locked account.
>>>
>>> In any case, our client got it wrong. The correct way to validate
>>> credentials is to bind the connection using an individual's credentials.

>>
>> You would have to read the attributes from the userObject (not
>> password), and then manually compare them... There is nothing in the
>> LDAP library to do this for you.
>>
>> You cannot read the userPassword, as you already do, you can compare it
>> You can get the Universal userPassword by using nmas methods (don't know
>> how to do this with C# - but can provide an example in Java).

>
> For NMAS LDAP C Password Management Functions see
> https://www.novell.com/documentation/developer/nmas/nmas_enu/data/nmas_enu.html#bsejr9p
>


True Nobert, using NMAS is an option.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.