[Work In Progress] LDAP Authentication

This is a forum to suggest new features for mojoPortal. 

This thread is closed to new posts. You must sign in to post in the forums.
10/1/2005 6:37:41 AM
Gravatar
Total Posts 36

Re: [Work In Progress] LDAP Authentication

I got this error when I moved from my old tree into a tree that was just trunk+ldap I believe what I did to resolve the situation was to remove the reference, delete the dll from the debug directory and readd the reference. I'll try locally to see what I can do.
10/1/2005 6:56:06 AM
Gravatar
Total Posts 36

Re: [Work In Progress] LDAP Authentication

It's odd, I removed and re-added the dll and still got the error, so I quit vs.net and restarted and it went fine... sorry It's been causing issues
10/1/2005 7:09:46 AM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

Hey, you're right, I closed VS and re-opened and now it builds.

I'm set with VS now but it may take me awhile to get the ldap setup for testing.

We do need to try an resolve this strange build thing before we start including the Novell dll in svn or it will cause problems for other developers.

Did you compile the dll on linux? Wonder if we can take a snapshot of the source code and add it as a class library project in our solution and build it on windows.
10/1/2005 7:32:23 AM
Gravatar
Total Posts 36

Re: [Work In Progress] LDAP Authentication

Yes I compiled the dll with mono 1.1.8.3 on linux, and sure it will build on ms.net there's a build.bat included in the source tree.
10/23/2005 8:45:54 AM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

Hey TJ I finally got setup to work with your code changes today as you may have read in my blog post.

Your code works per your instructions and looks great!

I am thinking of a few changes:

1. I'm not sure we need to store AdminEmail in the mp_Sites table. I think the admin user should change his email to one that is in LDAP using his profile prior to changing the SiteSettings to use LDAP then we would not need this field because the admin user will be able to login. Actually I'm thinking of adding a field to the mp_Users table named LoginName and use this and password to login instead of email and password. This would be more consistent with how users login to other systems with an LDAP backend and also I think I read that an LDAP user can have more than 1 email address. I've been thinking of changing this even for non LDAP authentication. Maybe I will make that a site setting, whether to use email for the login.

2. I'm thinking I can add a check to prevent the admin from getting locked out by changing the site to use LDAP. We can test binding the BindDN and the current logged in user (Admin) before allowing the change. This would prevent the admin from making a typo in the ldap settings and getting himself locked out.

3. I am concerned about storing the BindPwd in the db in clear text. We need to be able to get that value so one way encryption will not suffice. With 2 way encryption we need a good cross platform way to store the key for decryption. I entered LDAP Administrator credentials for this but maybe thats only needed if we are trying to implement LDAP updates. I will experiment with putting ordinary user credentials there instead of admin, if we can do this it alleviates my concern quite a bit and we may not need encryption. The Administrator credentials are the keys to the kingdom. I can envision a company wanting to setup mojoportal as an extranet authenticating against their internal domain so they don't have to create secondary logins for the web site but we have to make sure we are not exposing secrets of the internal network to the outside world. Even internal users with legit access directly to the db should not have easy access to the LDAP Administrator password. If we can get away with authentication without storing Admin credentials in the db then maybe next we can implement some pages for LDAP administration that require the user to enter the correct credentials to make an update and use SSL to protect that.

I'm just getting started with really looking into this and thinking it through. Let me know your thoughts on the above and I'll post more as I progress.

Great Work! Glad to finally be able to work with it.

Joe

Update: 2:06 PM It doesn't seem to work without the Administrator credentials:

[LdapException: Invalid Credentials]
Novell.Directory.Ldap.LdapResponse.chkResultCode() +30
Novell.Directory.Ldap.LdapConnection.chkResultCode(LdapMessageQueue queue, LdapConstraints cons, LdapResponse response) +147
Novell.Directory.Ldap.LdapConnection.Bind(Int32 version, String dn, SByte[] passwd, LdapConstraints cons) +174
Novell.Directory.Ldap.LdapConnection.Bind(Int32 version, String dn, String passwd, LdapConstraints cons) +175
Novell.Directory.Ldap.LdapConnection.Bind(String dn, String passwd) +20
mojoPortal.Business.LdapManagement.GetConnection(LdapDetails ld, Boolean bind) in c:\__projects\contributors\tjfontaine\mojoportal\business\ldapmanagement.cs:16
mojoPortal.Business.LdapManagement.LdapLogin(LdapDetails ld, String email, String password) in c:\__projects\contributors\tjfontaine\mojoportal\business\ldapmanagement.cs:52
mojoPortal.Business.SiteUser.Login(SiteSettings siteSettings, String Email, String Password) in c:\__projects\contributors\tjfontaine\mojoportal\business\siteuser.cs:512
mojoPortal.Web.Login.AuthenticateUser() in c:\__projects\contributors\tjfontaine\mojoportal\web\secure\login.aspx.cs:117
mojoPortal.Web.Login.lnkSignin_Click(Object sender, EventArgs e) in c:\__projects\contributors\tjfontaine\mojoportal\web\secure\login.aspx.cs:107
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +108
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +138
System.Web.UI.Page.ProcessRequestMain() +1273

Do you think its possible to get this to work without Administrator credentials or should we be looking for ways to securely store them?
10/23/2005 11:15:34 AM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

I was able after some review of the code to figure out how to make the login work without having the Administrator credentials in the db by changing this line in LdapManagement.LdapLogin
from
LdapConnection conn = GetConnection(ld, true);
to
LdapConnection conn = GetConnection(ld, false);

This is good news I think. I would like to avoid having to figure a secure way to store the Administrator credentials if possible and I think it is possible at this point.
10/25/2005 7:33:22 AM
Gravatar
Total Posts 36

Re: [Work In Progress] LDAP Authentication

woo hoo congrats on beating ldap into submission :-)

1: using an alternative field like LoginName would indeed be a preferred solution as it would allow ldap sites to authenticate on virtually any attribute of their schema

2: excellent idea, though of course last resort they should be able to know how to handle the db enough to change it on their own :-)

3: as you found out there is no reason why we can't use a lesser privileged user, it's unfortunate that it didn't work OOTB which was my initial expectation.

I've been thinking about password manipulation for the users, we'll probably want to use something similar to how pam/passwd handles it with passing in the old password to bind to ldap and then changing the password. In fact we could use a similar tactic of passing their ldap password for any profile change, that way we only ever use the user stored in the db to bind to the ldap db at logon time.

If there is anything you need/want me to do don't be afraid to delegate it :-)
10/25/2005 3:41:01 PM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

Hey TJ,

I have been making some changes and hope to have everything committed for all 3 data layers by the end of the weekend.
The main changes so far are that I have reduced to 3 LDAP site settings, Host Name, Port, Root DN and renamed a couple items. Not that there was anything wrong with your naming scheme, just making it consistent with other things in the project. Specifically, I changed LdapManager to LdapHelper and LdapDetails to LdapSettings. Hope you don't mind

I do have an idea for something I think would be really cool, if you would like to work on it. A set of pages for generic Ldap Administration (separate from user profile) that would use the site Ldap settings but require the user to enter their own ldap credentials to view or update objects in the ldap directory. If it could dynamically adapt to or determine the schema and just show what is there and make it possible to edit/add items it would be an awesome tool. All subject to the user's permissions in Ldap, of course. Since it would be new pages you could start (if you want to) without waiting to get my changes back.  What do you think? Is it even possible or would you have to know the schema ahead of time?

Joe
10/26/2005 10:40:32 AM
Gravatar
Total Posts 36

Re: [Work In Progress] LDAP Authentication

Hey,

Feel free to change what you want in the code. Also, it dawned on me (from your previous change to the patch) that credentials should be optional, as you can anonymously bind to ldap, and then simply try and bind as the new user for login verification, my mistake for not realizing that from the get go.

As far as implementing a generic page without knowing the schema before hand, it's completely doable. In fact Novell.Directory.Ldap provides a Utilclass namepace that has a SchemaParser object all ready and waiting for use. Unfortunately documentation is sparse, but it appears to be straight forward. I was thinking in tandem with such a module, there would be a module for templates so users could handle new user/entry creation with the defaults/required attributes they want. I'll try and work up some proof of concept code for the first module at the begining of the week.
10/26/2005 2:44:38 PM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

Excellent! Keep me posted and let me know if you need anything. I should have the initial code in svn this weekend and we can get back in sync.

I really think you could spin off another project with the ASP.NET LDAP Administrator yet keep it so its easy to integrate into mojoPortal too. It doesn't really even need to be a module per se, it can be separate pages. I'm thinking we would have a link to it in site settings but hide the link until they check the Use LDAP setting. After they click save the test code will run to validates the ldap settings as bindable using anonymous before letting them make the change. Then show a link or button to the ldap settings pages where they can manage the directory.

Joe
You must sign in to post in the forums. This thread is closed to new posts.