Re: using userPrincipleName for ADAM login
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 7 Jun 2006 09:25:37 -0500
If you specify credentials in a bind, the bind will fail if he credentials
are invalid UNLESS you do an LDAP simple bind and have a blank password.
You are likely doing LDAP simple bind with ADAM. The LDAP spec says that
doing that has to return no error. So, make sure the password isn't null
and you should be fine.
One of the problems with ADSI is that it mixes the metaphor a bit with
binding. An ADSI bind actually does an LDAP bind and then does a base level
search against the object in the path to read its attributes. However, an
actual LDAP bind is just a bind to the connection to the directory and does
not imply access to any specific object. It just changes the persistent
connection to an authenticated state. If you just want to do a bind
operation though, you need to use a lower level API like S.DS.Protocols.
The ActiveDirectoryMembershipProvider in .NET 2.0 actually uses it for doing
LDAP auth, partially for this reason. The other problem with ADSI-based
authentication routines is that it does not scale well due to issues with
how ADSI connection caching works.
Also, using tools like ldp.exe and adfind are a good way of testing things
with direct LDAP instead of using an ADSI wrapper.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Adam" <adamtuliper@xxxxxxxxxxxxx> wrote in message
news:95954B14-C256-45BA-BC09-417BC63EDE8D@xxxxxxxxxxxxxxxx
Thanks for the reply.
If binding to RootDSE allows anonymous, is there any problem of reverting
back to anonymous for instance like sql server attempts to do(specified
user->guest->null) ... if the current login fails? IE will it ever try an
anonymous without telling you if the specified credentials fail? Or maybe
I
should ask.. in what cases will anonymous be used?
--
Adam Tuliper
http://www.secure-coding.com
"Joe Kaplan (MVP - ADSI)" wrote:
If you just want to authenticate the user with a bind, then using the
RootDSE object is probably the way to go. RootDSE is accessible
anonymously, so there is no implied authorization when ADSI does a search
that might cause an unexpected side effect.
I'd definitely recommend specifying a DN in your path with ADAM, as ADSI
likes to bind to the default naming context when you don't specify one,
but
since ADAM doesn't have a default naming context by default (you can set
one, but this has to be done explicitly), you might get unexpected
behavior.
I don't think that's what's going on here, but it is still a better
coding
practice than using a null DN.
I tried a quick test and wasn't able to repro your error. There may be
an
issue with the user you are using not having rights to read the object in
question. ADAM users are not in any groups by default, so they can't see
much by default. I think my ADAM has the authenticated users Windows
built-in SID in the readers role as an FSP, so everyone who authenticates
is
automatically a reader.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Adam" <adamtuliper@xxxxxxxxxxxxx> wrote in message
news:B2E6B0AB-05DA-4F81-AE2F-F9FFB670CDBD@xxxxxxxxxxxxxxxx
I should also specify the code, sorry.
I realize also this may fall under adsi.general, but since it was about
connecting to ADAM, I sent it here:
using (DirectoryEntry entry = new
DirectoryEntry("LDAP://localhost:50002";))
{
entry.Username = "testupn";
entry.Password = "^t3stp@$_s";
entry.AuthenticationType =
System.DirectoryServices.AuthenticationTypes.None;
Object obj = entry.NativeObject;
}
--
Adam Tuliper
http://www.secure-coding.com
"Adam" wrote:
I thought so..my initial test failed, but now specifically going
against
RootDse works or just the server path itself works. Going to any other
path
fails with
The specified directory service attribute or value does not exist.
Whats the reason the RootDse is required here?
--
Adam Tuliper
http://www.secure-coding.com
"Joe Kaplan (MVP - ADSI)" wrote:
You can use the usePrincipalName attribute as a username for binding
in
ADAM, as well as the displayName. Try to make sure they are unique.
:)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Adam" <adamtuliper@xxxxxxxxxxxxx> wrote in message
news:50810AC9-0857-45ED-A42A-0D8272593B14@xxxxxxxxxxxxxxxx
Is it possible to use the userPrincipleName to login to ADAM?
--
Adam Tuliper
http://www.secure-coding.com
.
- References:
- Re: using userPrincipleName for ADAM login
- From: Joe Kaplan \(MVP - ADSI\)
- Re: using userPrincipleName for ADAM login
- From: Joe Kaplan \(MVP - ADSI\)
- Re: using userPrincipleName for ADAM login
- From: Adam
- Re: using userPrincipleName for ADAM login
- Prev by Date: Re: New 2003 server into 2000 environment
- Next by Date: Re: Active Directory Home Folders
- Previous by thread: Re: using userPrincipleName for ADAM login
- Next by thread: Re: 2003 R2 adprep /forestprep
- Index(es):
Relevant Pages
|
Loading
