CODEWITHSUNDEEP
c#openldap
mayank.karki
mayank.karki

Reputation: 748

Connect to open LDAP over ssl

I am working on a website which is used to reset password of LDAP users. I am not able to make connection with server over ssl. I tried various code and authentication types.

This is what used on server for connectivity with LDAP on which website is hosted. I also tested it with both ssl ports. 636 and 3269.

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity?, NEGOTIATE (1158)); v.3

{NtAuthIdentity?: User='_ldapuser'; Pwd='unavailable';; domain = 'SJTPNOC.DOMAIN'}

I am using following code in website

LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier("SJTP.DOMAIN",636));

connection.SessionOptions.ProtocolVersion = 3;

connection.AuthType = AuthType.Basic;

connection.Credential = new NetworkCredential("CN=user,CN=Users,DC=SJTPNOC,DC=DOMAIN", "password","CN=Users,DC=SJTPNOC,DC=DOMAIN");

connection.SessionOptions.SecureSocketLayer=true;

connection.Bind();

Getting exception "LDAP server is unavailable". I tried that code with 389 port and without ssl and it's working fine.

Please let me know what is wrong.

Upvotes: 4

Views: 15656

Answers (3)

Himalaya Garg
Himalaya Garg

Reputation: 1609

Below code worked for me to connect to AD using LDAPS

ldapConnection = new LdapConnection(new LdapDirectoryIdentifier("your.LDAPSserver.com", 636));

var networkCredential = new NetworkCredential("UsernameWithoutDomain", "yourPassword", "AD.yourDOMAIN.com");
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.SessionOptions.ProtocolVersion = 3;
ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
ldapConnection.AuthType = AuthType.Negotiate;
ldapConnection.Bind(networkCredential);
        
SearchRequest Srchrequest = new SearchRequest("CN=Users,DC=AD,DC=YOURCOMPANY,DC=COM", "[email protected]", System.DirectoryServices.Protocols.SearchScope.Subtree);
SearchResponse SrchResponse = (SearchResponse)ldapConnection.SendRequest(Srchrequest);

// ServerCallback

private static bool ServerCallback(LdapConnection connection, X509Certificate certificate)
{
    return true;
}

Surprisingly it is also working when I am not using networkCredential and just using ldapConnection.Bind(); Seems it is using my local credentials as default on my local machine.

Upvotes: 1

Greg
Greg

Reputation: 936

I also had a problem connecting via SSL, but not over plaintext. I did some network sniffing and was able to see that although I set the LdapConnection.AuthType to Basic, my client machine was finding and using client certificates for the SSL handshake. The certificate it found (don't know if I should be mad at VisualStudio or the .NET LdapConnection class) was a cheesy self-signed cert that the LDAP server did not like. It returned a very secure "server unavailable" error; good for it. So there is a client certificate resolver delegate in the SessionOptions I needed to provide with a very simple implementation:

public static X509Certificate ClientCertFinder(LdapConnection connection,
                                                byte[][] trustedCAs)
{
   return null;
}

Then, set the SessionOptions QueryClientCertificateCallback delegate to use the stub like this:

connection.SessionOptions.QueryClientCertificate =
      new QueryClientCertificateCallback(ClientCertFinder);

You could probably even make this a oneliner as in @jbl's answer for the validation callback, but maybe some day I'll want to do client-certificate-authentication, and having that stub serves as a reminder for how to do it.

Upvotes: 4

jbl
jbl

Reputation: 15413

If you only want encryption and do not need strong authentication of the ldap server, maybe you should add :

connection.SessionOptions.VerifyServerCertificate =
                new VerifyServerCertificateCallback((con, cer) => true);

Upvotes: 5

Related Questions