TJ,

Thanks for taking on this project!

I'm all for supporting LDAP authentication, its been on the planned feature list all along and I have no doubt we can implement it without making things difficult for users who are sticking with db authentication.

When you send me your changes I will try to work with you to arrive at something mutually acceptable that meets the above criteria.
I also want to implement authentication against Active Directory and I have a working implementation in one of my projects at work. It still uses Forms authentication but it authenticates against AD and then uses the Forms Auth methods for creating the authentication ticket with encrypted roles retrieved from AD. This works pretty well because you don't have to query AD any more for the rest of the session. I was planning to do something similar for mojoportal but I've been pondering the roles issues and thinking I might maintain roles in the db because they are site related roles. So in other words authenticate against AD or LDAP but authorize from the db. I envisioned if a user authenticated I would check the site users table for a matching user and if not found create one. Then no changes are needed for things like member list, it would still populate from the db. Sounds like you are populating Member list directly from ldap?

The main reason I'm thinking of managing roles in the db is that there are a few roles that mojoportal expects to be there which may not exist in the domain, specifically Admins, Content Administrators, Authenticated Users. I've made it so that there is a separate role display name so if users want to rename the role for localization purposes it changes the display but under the hood it doesn't change so nothing breaks. Even if there happen to be corresponding roles in the domain they may not corelate to who you want to be able to do what in the site.

I'm open to discussion on these things but this has been my thinking on a simple way to implement this. I'm not sure whether its possible to write a single ldap implementation that works both with Novell and AD so we will probably need to use a provider model or some mechanism to be able to easily use either one. It would be nice to support OpenLDAP as well.

Can you run the  Novell code on Windows with the .NET framework or only with mono? If so please give me some info on what I have to do to set that up so I will be able to test your work. I also have a Suse 9.3 machine that I could probably setup a Novell Domain on for testing but any instructions you can provide or point me too will be helpful when you send me the code since I've never worked with that before.

Anyway this will be an important feature to have and we definitly will have it in some form.

I'll look forward to your patch.

Joe

Good deal TJ!

For the first round lets go with the db for populating the member list and profile stuff. We can talk more about if we want to follow up with deeper integration of ldap based user properties. I was hoping that maybe the novell ldap would also work with AD, glad to know it is possible. The implementation I have done before is with the System.Directory and I knew that wouldn't work with Novell or OpenLDAP. This is great news that we can use 1 implementation with all 3.
How much control does Novell.Directory.Ldap expose? Is it actually possible to update user properties from the profile page, password etc using that?

I will be able to test it with Active Directory and if you can give me or point me to a primer on OpenLDAP I will try and get setup to test that too.

I think we can  leave it to the admin discretion whether to delete users from a site if they de-activate or remove them from the LDAP. I've also been thinking about the flow of installation and switch to LDAP. The installation will of course continue to default to db authentication. To convert to ldap, the admin would login and change his username to match his ldap username so that when he changes the site settings his user will still be in admins role. So I need to probably add a username field to the users table separate from the Name field which is the full name. We would have to enforce unique values per site id for this field while it is possible for 2 users to have the same value in the Name field ie John Smith.
I have been thinking that I need this anyway because not everyone wants to use email as the unique login identifier. I'm willing to implement that but don't want to slow your progress so if you add it to your db version I'll do the other 2 layers.

I've added you to a developer role in this site which gives you permission to create and edit pages beneath the Developer Area of this site that is only visible to users in this role and also under the Documentation section if you care to author any instructions for setting up the LDAP stuff at some point, feel free.

Keep in touch as needed while you progress, I'll help in any way I can.

Joe

I'm thinking it would be ok to include the dll in the bin folder. If the user running on mono has a newer version it will be in the GAC and that will be used instead of the one in the bin folder won't it?

Cool,

I'll try to schedule some time on sunday to try and get the ldap working on my Suse 9.3 machine.

Thanks,

Joe

Oops the patch is missing your new files for ldap. You need to right click the new files and choose TortoiseSVN > Add
after that re-create the patch and it should be good. Also can you provide a link to download your Novell.Directory.Ldap.dll I',m sure its going to need that to build.

Thanks!

Hey, you're right, I closed VS and re-opened and now it builds.

I'm set with VS now but it may take me awhile to get the ldap setup for testing.

We do need to try an resolve this strange build thing before we start including the Novell dll in svn or it will cause problems for other developers.

Did you compile the dll on linux? Wonder if we can take a snapshot of the source code and add it as a class library project in our solution and build it on windows.

Hey TJ I finally got setup to work with your code changes today as you may have read in my blog post.

Your code works per your instructions and looks great!

I am thinking of a few changes:

1. I'm not sure we need to store AdminEmail in the mp_Sites table. I think the admin user should change his email to one that is in LDAP using his profile prior to changing the SiteSettings to use LDAP then we would not need this field because the admin user will be able to login. Actually I'm thinking of adding a field to the mp_Users table named LoginName and use this and password to login instead of email and password. This would be more consistent with how users login to other systems with an LDAP backend and also I think I read that an LDAP user can have more than 1 email address. I've been thinking of changing this even for non LDAP authentication. Maybe I will make that a site setting, whether to use email for the login.

2. I'm thinking I can add a check to prevent the admin from getting locked out by changing the site to use LDAP. We can test binding the BindDN and the current logged in user (Admin) before allowing the change. This would prevent the admin from making a typo in the ldap settings and getting himself locked out.

3. I am concerned about storing the BindPwd in the db in clear text. We need to be able to get that value so one way encryption will not suffice. With 2 way encryption we need a good cross platform way to store the key for decryption. I entered LDAP Administrator credentials for this but maybe thats only needed if we are trying to implement LDAP updates. I will experiment with putting ordinary user credentials there instead of admin, if we can do this it alleviates my concern quite a bit and we may not need encryption. The Administrator credentials are the keys to the kingdom. I can envision a company wanting to setup mojoportal as an extranet authenticating against their internal domain so they don't have to create secondary logins for the web site but we have to make sure we are not exposing secrets of the internal network to the outside world. Even internal users with legit access directly to the db should not have easy access to the LDAP Administrator password. If we can get away with authentication without storing Admin credentials in the db then maybe next we can implement some pages for LDAP administration that require the user to enter the correct credentials to make an update and use SSL to protect that.

I'm just getting started with really looking into this and thinking it through. Let me know your thoughts on the above and I'll post more as I progress.

Great Work! Glad to finally be able to work with it.

Joe

Update: 2:06 PM It doesn't seem to work without the Administrator credentials:

[LdapException: Invalid Credentials]
Novell.Directory.Ldap.LdapResponse.chkResultCode() +30
Novell.Directory.Ldap.LdapConnection.chkResultCode(LdapMessageQueue queue, LdapConstraints cons, LdapResponse response) +147
Novell.Directory.Ldap.LdapConnection.Bind(Int32 version, String dn, SByte[] passwd, LdapConstraints cons) +174
Novell.Directory.Ldap.LdapConnection.Bind(Int32 version, String dn, String passwd, LdapConstraints cons) +175
Novell.Directory.Ldap.LdapConnection.Bind(String dn, String passwd) +20
mojoPortal.Business.LdapManagement.GetConnection(LdapDetails ld, Boolean bind) in c:\__projects\contributors\tjfontaine\mojoportal\business\ldapmanagement.cs:16
mojoPortal.Business.LdapManagement.LdapLogin(LdapDetails ld, String email, String password) in c:\__projects\contributors\tjfontaine\mojoportal\business\ldapmanagement.cs:52
mojoPortal.Business.SiteUser.Login(SiteSettings siteSettings, String Email, String Password) in c:\__projects\contributors\tjfontaine\mojoportal\business\siteuser.cs:512
mojoPortal.Web.Login.AuthenticateUser() in c:\__projects\contributors\tjfontaine\mojoportal\web\secure\login.aspx.cs:117
mojoPortal.Web.Login.lnkSignin_Click(Object sender, EventArgs e) in c:\__projects\contributors\tjfontaine\mojoportal\web\secure\login.aspx.cs:107
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +108
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +138
System.Web.UI.Page.ProcessRequestMain() +1273

Do you think its possible to get this to work without Administrator credentials or should we be looking for ways to securely store them?