Diese Seite mit anderen teilen ...

Informationen zum Thema:
Forum:
WinDev Forum
Beiträge im Thema:
4
Erster Beitrag:
vor 5 Monaten
Letzter Beitrag:
vor 5 Monaten
Beteiligte Autoren:
Peter Holemans, Peter Zhou

Microsoft active directory and windev/webdev

Startbeitrag von Peter Zhou am 22.05.2017 06:18

hi,

Can I use LDAPxxx function in windev/webdev to access logon via the Microsoft Active Directory ? Any issues?

Regards,

Peter Zhou

Antworten:

Hi Peter,

You can do LDAP/AD lookup using the LDAP functions but you cannot do negotiate/kerberos authentication.
In WebDev, when using IIS you can define AD logon by setting it up at IIS level (site requires Windows authentication in IIS).
This will popup the domain login in the web browser.

In Windev you can use some api calls to the 'user32' DLL to do authentication (but only for users who are defined on the local machine I believe) via the local windows client but there is no native WL function to do any sort of server side/network negotiate/kerberos AD authentication which you need often if you're building generic server side components that need to do authentication do get a security context with the correct accesses to network or web resources for example.

In C#, this would take 1 (!!!) line of code so you could think of creating your own .Net library that you call out of WX or use a .Net call directly out of WX. WX will however not inherit the security context...

Cheers,

Peter Holemans

von Peter Holemans - am 22.05.2017 07:16
Quote
Peter Holemans
Hi Peter,

You can do LDAP/AD lookup using the LDAP functions but you cannot do negotiate/kerberos authentication.
In WebDev, when using IIS you can define AD logon by setting it up at IIS level (site requires Windows authentication in IIS).
This will popup the domain login in the web browser.

In Windev you can use some api calls to the 'user32' DLL to do authentication (but only for users who are defined on the local machine I believe) via the local windows client but there is no native WL function to do any sort of server side/network negotiate/kerberos AD authentication which you need often if you're building generic server side components that need to do authentication do get a security context with the correct accesses to network or web resources for example.

In C#, this would take 1 (!!!) line of code so you could think of creating your own .Net library that you call out of WX or use a .Net call directly out of WX. WX will however not inherit the security context...

Cheers,

Peter Holemans



Hi Peter,
>You can do LDAP/AD lookup using the LDAP functions

That means I can use the LDAP functions to connect and logon, correct ?
I don't need any other functions from LDAP other than to make sure the users logging on is valid under their microsoft active directory.

Regards,

Peter Zhou

von Peter Zhou - am 22.05.2017 08:08
Hi Peter,

No, you can't logon/logoff using the LDAP functions. You can only read/write from/to the LDAP database.

Logon/Logoff is a much more complex process where a complete security context for the user within the complete domain network is setup.
For that you need:
- In WB: On the IIS server, setup Windows authentication
- In WD: Use API calls to the user32 DLL to do the authentication process but that will only work for users already defined on the local machine
- In WD: Use a .Net Call to do the authentication (1 simple function call in .net) but your WX program will not inherit the security context (giving/blocking access to whatever resource in the network/local machine) like it would with a .Net program.

Cheers,

Peter Holemans


Here is a sample on how to bind in .Net your application to the complete security context (including permissions etc...) of an AD user. You can probably do similar calls out of WX to the .Net assemblies concerned. The ldapConnection class is part of the System.DirectoryServices.Protocols assembly. You can use this piece of code to do some sort of validation I guess.

public static bool fnValidateUser()
{
bool validation;
try
{
LdapConnection lcon = new LdapConnection
(new LdapDirectoryIdentifier((string)null, false, false));
NetworkCredential nc = new NetworkCredential(Environment.UserName,
"MyPassword", Environment.UserDomainName);
lcon.Credential = nc;
lcon.AuthType = AuthType.Negotiate;
// user has authenticated at this point,
// as the credentials were used to login to the dc.
lcon.Bind(nc);
validation = true;
}
catch (LdapException)
{
validation = false;
}
return validation;
}


And here you can find a similar solution which you should be able to reuse easily in WX by calling the .Net assemblies.

private const int LDAPError_InvalidCredentials = 0x31;
private const string Domain = "mydomain";
 
public bool Authenticate(string username, string password)
{
    try
    {
        using (var ldapConnection = new LdapConnection("exampledomain:636"))
        {
            var networkCredential = new NetworkCredential(username, password, Domain);
            ldapConnection.SessionOptions.SecureSocketLayer = true;
            ldapConnection.AuthType = AuthType.Negotiate;
            ldapConnection.Bind(networkCredential);
        }
 
        // if the bind succeeds, the credentials are OK
        return true;
    }
    catch (LdapException ldapException)
    {
        // Unfortunately, invalid credentials fall into this block with a specific error code
        if (ldapException.ErrorCode.Equals(LDAPError_InvalidCredentials)) return false;
        throw;
    }
}


von Peter Holemans - am 22.05.2017 09:26
Zur Information:
MySnip.de hat keinen Einfluss auf die Inhalte der Beiträge. Bitte kontaktieren Sie den Administrator des Forums bei Problemen oder Löschforderungen über die Kontaktseite.
Falls die Kontaktaufnahme mit dem Administrator des Forums fehlschlägt, kontaktieren Sie uns bitte über die in unserem Impressum angegebenen Daten.