|
FORUMS PROFESSIONNELS
WINDEV, WEBDEV et WINDEV Mobile |
| | | | | |
| Microsoft active directory and windev/webdev |
| Débuté par Peter Zhou, 22 mai 2017 08:18 - 3 réponses |
| |
| | | |
|
| |
Posté le 22 mai 2017 - 08:18 |
hi,
Can I use LDAPxxx function in windev/webdev to access logon via the Microsoft Active Directory ? Any issues?
Regards,
Peter Zhou |
| |
| |
| | | |
|
| | |
| |
Posté le 22 mai 2017 - 09:16 |
Hi Peter,
You can do LDAP/AD lookup using the LDAP functions but you cannot do negotiate/kerberos authentication.
In WebDev, when using IIS you can define AD logon by setting it up at IIS level (site requires Windows authentication in IIS).
This will popup the domain login in the web browser.
In Windev you can use some api calls to the 'user32' DLL to do authentication (but only for users who are defined on the local machine I believe) via the local windows client but there is no native WL function to do any sort of server side/network negotiate/kerberos AD authentication which you need often if you're building generic server side components that need to do authentication do get a security context with the correct accesses to network or web resources for example.
In C#, this would take 1 (!!!) line of code so you could think of creating your own .Net library that you call out of WX or use a .Net call directly out of WX. WX will however not inherit the security context...
Cheers,
Peter Holemans |
| |
| |
| | | |
|
| | |
| |
Posté le 22 mai 2017 - 10:08 |
Quote
Peter Holemans
Hi Peter,
You can do LDAP/AD lookup using the LDAP functions but you cannot do negotiate/kerberos authentication.
In WebDev, when using IIS you can define AD logon by setting it up at IIS level (site requires Windows authentication in IIS).
This will popup the domain login in the web browser.
In Windev you can use some api calls to the 'user32' DLL to do authentication (but only for users who are defined on the local machine I believe) via the local windows client but there is no native WL function to do any sort of server side/network negotiate/kerberos AD authentication which you need often if you're building generic server side components that need to do authentication do get a security context with the correct accesses to network or web resources for example.
In C#, this would take 1 (!!!) line of code so you could think of creating your own .Net library that you call out of WX or use a .Net call directly out of WX. WX will however not inherit the security context...
Cheers,
Peter Holemans
Hi Peter,
>You can do LDAP/AD lookup using the LDAP functions
That means I can use the LDAP functions to connect and logon, correct ?
I don't need any other functions from LDAP other than to make sure the users logging on is valid under their microsoft active directory.
Regards,
Peter Zhou |
| |
| |
| | | |
|
| | |
| |
Posté le 22 mai 2017 - 11:26 |
Hi Peter,
No, you can't logon/logoff using the LDAP functions. You can only read/write from/to the LDAP database.
Logon/Logoff is a much more complex process where a complete security context for the user within the complete domain network is setup.
For that you need:
- In WB: On the IIS server, setup Windows authentication
- In WD: Use API calls to the user32 DLL to do the authentication process but that will only work for users already defined on the local machine
- In WD: Use a .Net Call to do the authentication (1 simple function call in .net) but your WX program will not inherit the security context (giving/blocking access to whatever resource in the network/local machine) like it would with a .Net program.
Cheers,
Peter Holemans
Here is a sample on how to bind in .Net your application to the complete security context (including permissions etc...) of an AD user. You can probably do similar calls out of WX to the .Net assemblies concerned. The ldapConnection class is part of the System.DirectoryServices.Protocols assembly. You can use this piece of code to do some sort of validation I guess.
public static bool fnValidateUser() { bool validation; try { LdapConnection lcon = new LdapConnection (new LdapDirectoryIdentifier((string)null, false, false)); NetworkCredential nc = new NetworkCredential(Environment.UserName, "MyPassword", Environment.UserDomainName); lcon.Credential = nc; lcon.AuthType = AuthType.Negotiate; // user has authenticated at this point, // as the credentials were used to login to the dc. lcon.Bind(nc); validation = true; } catch (LdapException) { validation = false; } return validation; }
And here you can find a similar solution which you should be able to reuse easily in WX by calling the .Net assemblies.
private const int LDAPError_InvalidCredentials = 0x31; private const string Domain = "mydomain"; public bool Authenticate(string username, string password) { try { using (var ldapConnection = new LdapConnection("exampledomain:636")) { var networkCredential = new NetworkCredential(username, password, Domain); ldapConnection.SessionOptions.SecureSocketLayer = true; ldapConnection.AuthType = AuthType.Negotiate; ldapConnection.Bind(networkCredential); } // if the bind succeeds, the credentials are OK return true; } catch (LdapException ldapException) { // Unfortunately, invalid credentials fall into this block with a specific error code if (ldapException.ErrorCode.Equals(LDAPError_InvalidCredentials)) return false; throw; } } |
| |
| |
| | | |
|
| | | | |
| | |
| | |
| |
|
|
|