Re: Can LDAP API be used either from VB or VBScript ?

From: Paul Bobrowski (pbobrowski-nospam_at_basictechnologies.com)
Date: 08/09/04

• Next message: Randy Birch: "Re: FindFirstFile and underscore"
• Previous message: Veign: "Re: how to read datas from word to textbox/richtextbox ??"
• In reply to: Fie Fie Niles: "Re: Can LDAP API be used either from VB or VBScript ?"
• Next in thread: Paul Clement: "Re: Can LDAP API be used either from VB or VBScript ?"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 9 Aug 2004 12:15:11 -0400

Hit reply instead of reply group, here's what I wrote.

I don't believe your ASP example will work. Since this appears to be a
webapp, then you'll probably have to use cookies.

I have not had experience with IBM Portal but if it's like other intranet
portal solutions that I've seen, the users will open a web browser and login
to the intranet site. At this point you'll need to save a cookie that is
readable across the whole domain, that way the different servers and webapps
can all access it.

You'll have the user's id in the temporary cookie on the user's machine, if
the id doesn't exist, the user hasn't logged in so you'll need to prompt
them to and set the cookie from your app. Otherwise just use the id as the
user has already been authenticated.

I can't really help with the IBM Portal integration because I've never used
it before, you might want to see if you can get it's documentation, or
integrators examples/help from IBM.

"Fie Fie Niles" <fniles@wincitesystems.com> wrote in message
news:OSiqIbifEHA.1972@TK2MSFTNGP09.phx.gbl...
> Thank you, Paul.
> Last time you asked the following question:
>
> The user is logging into a Windows box whose's domain is setup to do LDAP
> authentication. If this is the cause there should be a link between the
NT
> Account UserId and the LDAP UserId, which in pretty much all normal cases
> that I've seen have a direct relationship where NT UserId=LDAP UserId.
>
>
>
> I just received the following answer from my client:
>
> They first authenticate against a Windows 2000 Domain, then to gain access
> to applications in IBM Portal, they must use another user to log into the
> system.
> There is no link between both authentication systems. The first one is
from
> Microsoft, and the second is based on a IBM Domino Server 6.5 which is
> compatible with protocol LDAP V3.
>
> Their application is running on Websphere and Java (J2EE), and our
> application is on IIS and ASP.
>
>
>
> So, first of all, our ASP application needs to find out if the user
already
> logged in to LDAP or not (when they were in Websphere and Java). I might
not
> know the user name or id here since when the user login to LDAP, it was on
> Websphere and Java.
> If the user already logged in to LDAP, then our ASP application should not
> prompt the user to login anymore. If the user has not logged in to LDAP,
our
> ASP application needs to make the user login to LDAP.
>
> I was thinking to use something like the following ASP code to see if the
> user has logged in to LDAP prior to this (when they were in Websphere and
> Java). Pls let me know what you think. Thank you so much.
>
>
>
> <%
> On Error Resume Next
> Set openDS = GetObject("LDAP://myserver:389/OU=MEDELLIN,O=UNIBAN")
> if err.number = 0 then
> Response.Write "has logged in to LDAP prior to this."
> Response.Write "LDAP User Name: " & x.Name
> Response.Write "Object Parent: " & x.Parent
> Response.Write "Object Path: " & x.ADsPath
> else
> Response.Write "has not login to LDAP yet. Let's go to login"
> end if
> set openDS = nothing
> %>
>
>
>
> "Paul Bobrowski" <pbobrowski-nospam@basictechnologies.com> wrote in
message
> news:eLG5BX9eEHA.3944@tk2msftngp13.phx.gbl...
> > The first won't won't work, your not specifying a server to connect to,
> nor
> > are you giving it a password to attempt a login.
> >
> > CN is common name so the person you're trying to connect as. You'll
> > probably want something like
> >
> > LDAP://<myserver>:<port usually 389>/CN=jeffsmith,OU=MEDELLIN,O=UNIBAN,
> > Password, Connection mode
> >
> >
> > "Fie Fie Niles" <fniles@wincitesystems.com> wrote in message
> > news:%23vVoOw8eEHA.3200@TK2MSFTNGP09.phx.gbl...
> > > Hi Paul,
> > > would you kindly tell me if the following codes correct to login to
> LDAP?
> > >
> > > on error resume next
> > > Set openDS = GetObject("LDAP:")
> > > openDS.OpenDSObject "LDAP://CN=jeffsmith,DC=fabrikam,DC=com", Null,
> > Null,
> > > ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND
> > > 'or this code: openDS.OpenDSObject
> > > "LDAP://Server:389/ou=Members,o=Microsoft",
> > > "cn=Administrator,ou=Members,o=Microsoft", "password", 0
> > > 'or this code: openDS.OpenDSObject
> > > "LDAP://Server:389/ou=Members,o=Microsoft",
> > > "cn=Administrator,ou=Members,o=Microsoft", "password", ADS_USE_SSL
> > > 'or this code: openDS.OpenDSObject
> > > "LDAP://TargetLDAPMachine:389/o=microsoft/ou=members",
> > > "cn=Administrator,ou=Members,o=Microsoft", "password", 0
> > > if err.number = 0 then
> > > msgbox "authentication success"
> > > else
> > > msgbox err.number & ":" & err.description
> > > set openDS = nothing
> > > end if
> > >
> > > Thank you.
> > >
> > >
> > > "Paul Bobrowski" <pbobrowski-nospam@basictechnologies.com> wrote in
> > message
> > > news:OPCU40veEHA.3412@TK2MSFTNGP11.phx.gbl...
> > > > The O (Organization) and OU (Organizational Unit) describes how the
> > > records
> > > > are organized; however, you haven't post information about what
> > properties
> > > > each user may have. LDAP allows you to store whatever information
you
> > > want
> > > > which makes it very useful; however, it's difficult to program for
> > without
> > > a
> > > > schema listing, and pretty much impossible without access to the
> servers
> > > to
> > > > look at the layout and derive the schema yourself (and no I don't
want
> > > > access to them).
> > > >
> > > > After your last message it became apparent that I'm unclear on how
the
> > > users
> > > > are being authenticated. I was going off the thought that they
logged
> > > into
> > > > Windows who's authentication was tied to an LDAP server. Your now
> > > > mentioning a portal that says someone was logged in, and say they
can
> > run
> > > > your application without visiting the portal. Is this a webapp?
Your
> > > > initial message talking about using LDAP with VB made me think it's
a
> > > normal
> > > > VB application.
> > > >
> > > > The best way to work around this is to describe how users access
your
> > > > application, and how they are authenticating against LDAP.
> > > >
> > > > Also, I'd prefer keeping the discussion on the newsgroup, it allows
> the
> > > > thread to backed up by Google Groups and it may help someone in the
> > future
> > > > looking for information.
> > > >
> > > >
> > > > "Fie Fie Niles" <fniles@wincitesystems.com> wrote in message
> > > > news:u6hDRoveEHA.384@TK2MSFTNGP10.phx.gbl...
> > > > > Thank you, Paul.
> > > > > The following is their configuration:
> > > > > · Windows 2000 Server (SP4).
> > > > >
> > > > > · Lotus Domino v6.5.1 (using the LDAP Service of this
> product,
> > > > this
> > > > > is compatible with version 3.0).
> > > > >
> > > > > · Port 389.
> > > > >
> > > > > · Our LDAP manages unique Users and Groups.
> > > > >
> > > > > · In this moments the LDAP is used by three servers of IBM
> > > > > Websphere. Each one have configured one conection to the LDAP
> through
> > > the
> > > > > settings of this products (is native in the Websphere program).
> > > > >
> > > > > · In the Lotus Domino server has two Domino Directory
> > databases,
> > > > one
> > > > > is the directory of the company and the other is the directory of
> > > > producers.
> > > > > Each one has a different OU and O.
> > > > >
> > > > > For example:
> > > > > For the company directory the OU and O is:
> > OU=MEDELLIN,O=UNIBAN
> > > > /
> > > > > OU=URABA,O=UNIBAN / OU=SANTAMARTA,O=UNIBAN
> > > > >
> > > > > For the producers directory, has not OU. The O is:
O=PORTAL
> > > > >
> > > > > The LDAP service only provides authentication, the application
must
> > > > provide
> > > > > different kinds of authorization for each kind of users
> authenticated
> > by
> > > > the
> > > > > LDAP.
> > > > > In our application, we can not assume the users have logged in
> > because
> > > > our
> > > > > application can be used with or without our portal.
> > > > > If users are using portal our application should not ask for
their
> > > login
> > > > ,
> > > > > if they are not using our portal our application should ask for
> their
> > > > > login.
> > > > >
> > > > >
> > > > > How can I find out if the user has logged in to LDAP without
knowing
> > the
> > > > > LDAP user id ?
> > > > >
> > > > > Would it be more convenient if I email you ? Please let me know.
> > > > >
> > > > > Thank you.
> > > > >
> > > > > FieFie
> > > > >
> > > > > "Paul Bobrowski" <pbobrowski-nospam@basictechnologies.com> wrote
in
> > > > message
> > > > > news:O7IOlaveEHA.3916@TK2MSFTNGP11.phx.gbl...
> > > > > > If the Ids aren't the same it really depends on the LDAP schema.
> I
> > > > > couldn't
> > > > > > give you a solution without knowing the layout. The NT UserId
> MUST
> > > have
> > > > a
> > > > > > relationship to the LDAP UserId for authentication to work.
> > > > > >
> > > > > > Your best bet would be to talk to the sysadmins and find out how
> the
> > > > > > authentication is working.
> > > > > >
> > > > > > "Fie Fie Niles" <fniles@wincitesystems.com> wrote in message
> > > > > > news:OHMD6JveEHA.4092@TK2MSFTNGP10.phx.gbl...
> > > > > > > Thank you, Paul.
> > > > > > > I will go to google and check it out.
> > > > > > > In the meantime, you said that "even if the two ids are not
the
> > > same,
> > > > > you
> > > > > > > should be able to an LDAP lookup using the NT UserID and be
able
> > to
> > > > > > receive
> > > > > > > the LDAP UserId.". Do you happen to have the code to do this
> > lookup
> > > > > using
> > > > > > > the NT Userid?
> > > > > > > Thanks.
> > > > > > >
> > > > > > > "Paul Bobrowski" <pbobrowski-nospam@basictechnologies.com>
wrote
> > in
> > > > > > message
> > > > > > > news:OJgxuomeEHA.3632@TK2MSFTNGP09.phx.gbl...
> > > > > > > > It's been a while since I did LDAP coding but here's what I
> > think
> > > is
> > > > > > > > happening.
> > > > > > > >
> > > > > > > > The user is logging into a Windows box whose's domain is
setup
> > to
> > > do
> > > > > > LDAP
> > > > > > > > authentication. If this is the cause there should be a link
> > > between
> > > > > the
> > > > > > > NT
> > > > > > > > Account UserId and the LDAP UserId, which in pretty much all
> > > normal
> > > > > > cases
> > > > > > > > that I've seen have a direct relationship where NT
UserId=LDAP
> > > > UserId.
> > > > > > > >
> > > > > > > > Even if the two ids are not the same, you should be able to
an
> > > LDAP
> > > > > > lookup
> > > > > > > > using the NT UserID and be able to receive the LDAP UserId.
> > > > > > > >
> > > > > > > > There are LDAP newsgroups; however, AFAIK not on the MS news
> > > servers
> > > > > > since
> > > > > > > > MS pushes their Active Directory instead of LDAP. Just hit
> > > > > > > > http://groups.google.com and do a search for LDAP and I'm
sure
> > > > you'll
> > > > > > find
> > > > > > > > the groups. You'll need a news server that will let you
post
> to
> > > > them
> > > > > > > > though, your ISP may provide one of these already.
> > > > > > > >
> > > > > > > >
> > > > > > > > "Fie Fie Niles" <fniles@wincitesystems.com> wrote in message
> > > > > > > > news:u$GI7LmeEHA.720@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > HI Bob,
> > > > > > > > > Sorry, my posting was unclear.
> > > > > > > > > It is not prior authentication that we need, it is post
> > > > > > authentication.
> > > > > > > > > So, after the user login to the intranet using LDAP and
> > > > > authenticated,
> > > > > > > > when
> > > > > > > > > they go to our application, our application needs to get
the
> > > LDAP
> > > > > user
> > > > > > > id
> > > > > > > > > that the user used earlier to login with.
> > > > > > > > > If a user login to an NT server, programmatically I can
get
> > the
> > > NT
> > > > > > user
> > > > > > > > name
> > > > > > > > > by using the following code:
> > > > > > > > > Declare Function WNetGetUser& Lib "Mpr" Alias
"WNetGetUserA"
> > > > (lpName
> > > > > > As
> > > > > > > > Any,
> > > > > > > > > ByVal lpUserName$, lpnLength&)
> > > > > > > > > ret = WNetGetUser(ByVal 0&, sUser, lLen)
> > > > > > > > >
> > > > > > > > > How can I programmatically get the user name that the user
> use
> > > to
> > > > > > login
> > > > > > > to
> > > > > > > > > LDAP ?
> > > > > > > > > Is there a newsgroup dedicated to LDAP ?
> > > > > > > > >
> > > > > > > > > Thanks a lot.
> > > > > > > > >
> > > > > > > > > FieFie
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Bob Butler" <tiredofit@nospam.com> wrote in message
> > > > > > > > > news:OMOJjgleEHA.636@TK2MSFTNGP12.phx.gbl...
> > > > > > > > > > "Fie Fie Niles" <fniles@wincitesystems.com> wrote in
> message
> > > > > > > > > > news:%23bXGqJleEHA.372@TK2MSFTNGP12.phx.gbl
> > > > > > > > > > > Hi Bob,
> > > > > > > > > > > You replied to my posting at the VB newsgroup last
time
> > > > > regarding
> > > > > > > > > > > calling LDAP API from VB.
> > > > > > > > > > > I now know what our client wants to do with it.
> > > > > > > > > > > On our system, once a client has login to LDAP, they
> would
> > > not
> > > > > > want
> > > > > > > > > > > to login anymore to our system. In other words, our
> system
> > > > will
> > > > > > need
> > > > > > > > > > > to know the LDAP user id that the user uses, and login
> to
> > > our
> > > > > > system
> > > > > > > > > > > using that LDAP user id.
> > > > > > > > > > >
> > > > > > > > > > > Can I do this, and how to do it ?
> > > > > > > > > >
> > > > > > > > > > Sorry, I can't answer that. I've used LDAP within
> > individual
> > > > > > > > applications
> > > > > > > > > > but never had to use prior authentication.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Next message: Randy Birch: "Re: FindFirstFile and underscore"
• Previous message: Veign: "Re: how to read datas from word to textbox/richtextbox ??"
• In reply to: Fie Fie Niles: "Re: Can LDAP API be used either from VB or VBScript ?"
• Next in thread: Paul Clement: "Re: Can LDAP API be used either from VB or VBScript ?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint