I will start by describing how my application works today without LDAP. I have WPF application that consumes WCF services (authentication windows or UserName depends on users choice). This services allows communication with database.
I display to user a "Login screen" in order to allow him set her "user name" and "password" then application connects to service and consumes function that checks if UserName and Password exist in database. (see img below) 
Now I need also to integrate LDAP for authenticating user accounts against their existing systems instead of having to create another login account.
I'm bit ignorant about LDAP and confused about many things. Please excuse the possible use of wrong terminology.
I googled but I still don't have answers of many questions.
1- What is the relation between users that exist in my database table "User" and profiles that I should be created in LDAP ?
2- What is the check I should do to allow user come from LDAP to access to my application and use all functionnalities of my service ?
3- Should I have service type "LDAP" like other authentications types I have today in my application ("Windows" and "UserName") ?
4- If I want to update my application architecture described in picture above where should I add LDAP ?
1 Answers
Answers 1
Let me tell you about my experience in LDAP and Authenticate users on LDAP or DB,
I also implemented a service named Auth.svc, this service contains a method named AuthenticateAndAuthorizedUser , this is transparent for user which came from LDAP or anywhere.
1- In the other words I have a table named Users which hold users infos and one more field named ExternalPath foreign key, if it is null then UserName is in DB otherwise it is came from UserDirectory.
2- You have to hold LDAP address (in my case LDAP addresses are in ExternalPath table), All LDAP addresses are on port 389 commonly.
3- Authenticate User if is not found(with Username and Password) then Verify it over LDAP address.
4- Let me share my DB schema and Authenticate Method.
ExternalPath field specify user is from LDAP or not.
5- Define LDAP server and User...
6- While adding new user you can define LDAP for user (if you select LDAP address then don't need to get password from user)
7- But last thing is Authenticating user on LDAP and DB.
Authenticate Method is something like:
User userLogin = User.Login<User>(username, password, ConnectionString, LogFile); if (userLogin != null) return InitiateToken(userLogin, sourceApp, sourceAddress, userIpAddress); else//Check it's LDAP path { User user = new User(ConnectionString, LogFile).GetUser(username); if (user != null && user.ExternalPath != null) { LDAPSpecification spec = new LDAPSpecification { UserName = username, Password = password, Path = user.ExternalPath.Path, Domain = user.ExternalPath.Domain }; bool isAthenticatedOnLDAP = LDAPAuthenticateUser(spec); } } If userLogin does not exist in DB by entered UserName and Pass then we should authenticated it over related LDAP address.
First find User and Get it's ExternalPath if not null means User is on LDAP.
so the LDAPAuthenticateUser method is :
public bool LDAPAuthenticateUser(LDAPSpecification spec) { string pathDomain = string.Format("LDAP://{0}", spec.Path); if (!string.IsNullOrEmpty(spec.Domain)) pathDomain += string.Format("/{0}", spec.Domain); DirectoryEntry entry = new DirectoryEntry(pathDomain, spec.UserName, spec.Password, AuthenticationTypes.Secure); try { //Bind to the native AdsObject to force authentication. object obj = entry.NativeObject; DirectorySearcher search = new DirectorySearcher(entry); search.Filter = "(SAMAccountName=" + spec.UserName + ")"; search.PropertiesToLoad.Add("cn"); SearchResult result = search.FindOne(); if (null == result) { return false; } } catch (Exception ex) { Logging.Log(LoggingMode.Error, "Error authenticating user on LDAP , PATH:{0} , UserName:{1}, EXP:{2}", pathDomain, spec.UserName, ex.ToString()); return false; } return true; } If exception raised in LDAPAuthenticateUser means User does not exist in User Directory.
Hope will help you.
0 comments:
Post a Comment