December 7, 2006 - 18:58 UTC - Tags: ADAM password .NET AD LDS
ADAM is a good store for users in .NET, but some things tend to take long time to figure out. One of these are password managment. This post will explain a method for setting a user's password from code (for resetting a password, changing a password etc.).
One of the first problems we noticed, was that to change the password, you had to have the old one. And if you are resetting the password, because the user lost his password, then you're stuck.
Secondly we wanted to use a service user in ADAM when connecting to ADAM, not an AD or Local computer user. Most of the descriptions I've read on the net, does not use an ADAM user when connecting.
We tried to use DirectoryEntry and then invoke the ADSI object, IADsUser, methods using invoke and "SetPassword". This made the aspnet_wp.exe process hang so badly I couldn't even kill the process from task manager. I had to restart windows to get back in.
Using System.DirectoryServices.Protocols
The System.DirectoryServices.Protocols namespace gives you a more fine grained access to LDAP. I found some code on Addison-Wesley that after some rewriting allowed me to do what I wanted. Note that you need to add a reference to System.DirectoryServices.Protocols in your project to make the following code work.
The first method we create is the method for creating a separate LDAP connection to ADAM. The parameters are server (hostname:port), username of ADAM service account, password of ADAM service account and a bool specifying wether to use SSL or not (should be true in production enviroment).
As you can see, the security measures are turned off when useSSL is set to false. In a production enviroment, you should definitely use SSL. You can find more information about using SSL in the article Using SSL with ADAM
To be able to set the password you need the SetPassword and GetPasswordData methods from the Addison-Wesley article. As you can see, the SetPassword method from the article requires the distinguished name of the user (userDN). If you have the DirectoryEntry of the user, you can get this through:
Final comment
As you can see, a new connection to ADAM is opened here. If you're using connecting to ADAM using DirectoryEntry to do other user related tasks, this means that you'll have two connections to ADAM for each user visiting your site. Be careful to only open this extra connection when needed and close it when you're done.
One of the first problems we noticed, was that to change the password, you had to have the old one. And if you are resetting the password, because the user lost his password, then you're stuck.
Secondly we wanted to use a service user in ADAM when connecting to ADAM, not an AD or Local computer user. Most of the descriptions I've read on the net, does not use an ADAM user when connecting.
We tried to use DirectoryEntry and then invoke the ADSI object, IADsUser, methods using invoke and "SetPassword". This made the aspnet_wp.exe process hang so badly I couldn't even kill the process from task manager. I had to restart windows to get back in.
Using System.DirectoryServices.Protocols
The System.DirectoryServices.Protocols namespace gives you a more fine grained access to LDAP. I found some code on Addison-Wesley that after some rewriting allowed me to do what I wanted. Note that you need to add a reference to System.DirectoryServices.Protocols in your project to make the following code work.
The first method we create is the method for creating a separate LDAP connection to ADAM. The parameters are server (hostname:port), username of ADAM service account, password of ADAM service account and a bool specifying wether to use SSL or not (should be true in production enviroment).
public static DirectoryConnection GetConnection(string server, string username, string password, bool useSsl)
{
LdapConnection connection = new LdapConnection(server);
if (useSsl)
{
connection.SessionOptions.SecureSocketLayer = true;
}
else
{
connection.SessionOptions.Sealing = false;
connection.SessionOptions.SecureSocketLayer = false;
connection.SessionOptions.Signing = false;
}
connection.AuthType = AuthType.Basic;
NetworkCredential credential = new NetworkCredential(username, password);
connection.Bind(credential);
return connection;
}As you can see, the security measures are turned off when useSSL is set to false. In a production enviroment, you should definitely use SSL. You can find more information about using SSL in the article Using SSL with ADAM
To be able to set the password you need the SetPassword and GetPasswordData methods from the Addison-Wesley article. As you can see, the SetPassword method from the article requires the distinguished name of the user (userDN). If you have the DirectoryEntry of the user, you can get this through:
string dn = user.Properties["distinguishedName"][0].ToString(); Final comment
As you can see, a new connection to ADAM is opened here. If you're using connecting to ADAM using DirectoryEntry to do other user related tasks, this means that you'll have two connections to ADAM for each user visiting your site. Be careful to only open this extra connection when needed and close it when you're done.
November 16, 2007 - 11:23 UTC
Giabba
ADAM user
It works fine, thank's for evertything
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
