AD-ActiveDirectory Integration

Topics: General
Aug 9, 2011 at 7:42 PM

Hi, have someone integrated ActiveDirectory in Composite C1 for user authentication?  We will really appreciate any comment on this.

 

Thanks in advance,

Andres Watson

Aug 9, 2011 at 7:49 PM

This has been discussed quite a few times, recently in this discussion here http://compositec1.codeplex.com/discussions/264412. I've done it as proof-of-concept but don't know of any live productions environments using it.

Aug 9, 2011 at 7:56 PM

@burningice: thanks for your prompt response. I've seen the discussion link and looks like them discussed about a custom membership provider pointing to an SQL Server. Can you show us an example using an LDAP / ActiveDirectory provider?

Aug 9, 2011 at 8:27 PM
Edited Aug 9, 2011 at 8:30 PM

Its quite simple actually, implementing the IFormLoginProvider interface. The below implementation relies on having users created in C1 as IUser data instances, and only does the actual password validation agains LDAP.

public class LDAPLoginProvider : IFormLoginProvider
{
	public bool CanSetUserPassword
   	{
    		get { return false; }
   	}

   	public bool CanAddNewUser
   	{
    		get { return false; }
   	
   
   	public bool UsersExists
   	{
    		get { return DataFacade.GetData<IUser>().Any(); }
   	}

	public IEnumerable<string> AllUsernames
   	{
		get { return (from u in DataFacade.GetData<IUser>() select u.Username).ToList(); }
	}

	void SetUserPassword(string username, string password) 
	{
		throw new NotImplementedException();
	}

	void AddNewUser(string userName, string password, string group) 
	{
		throw new NotImplementedException(); 
	}

	 LoginResult Validate(string username, string password)
	 {
	 	var user =
		    (from u in DataFacade.GetData<IUser>()
		     where String.Compare(u.Username, username, StringComparison.InvariantCultureIgnoreCase) == 0
		     select u).FirstOrDefault();
	
	    if (user == null)
	    {
	        return LoginResult.UserDoesNotExist;
	    }
	
	    bool loginIsValid = false;
	
		try
		{
		    var entry = new DirectoryEntry("LDAP://domain.com", username, password);
		    object nativeObject = entry.NativeObject;
		    loginIsValid = true;
		}
		catch (DirectoryServicesCOMException ex)
		{
		    //not authenticated; reason why is in ex
		}
		catch (Exception ex)
		{
		    //not authenticated due to some other exception
		}
	
	  	return loginIsValid ? LoginResult.Success : LoginResult.IncorrectPassword;
	}         
}
Aug 9, 2011 at 8:36 PM
Edited Aug 9, 2011 at 8:43 PM

If you want permissions to be managed from LDAP is well, its substantially more work and you would need to implement the interfaces IUserPermissionDefinitionProvider and IUserGroupPermissionDefinitionProvider which could ie. use group naming and relationships in LDAP to define access to the different areas in C1 for users and groups.

If you go that road, the whole User-perspective inside C1 becomes obsolete and all user creation/deletion and assignment for perspectives, roles and areas in C1 is configured in LDAP.

Nov 30, 2012 at 12:39 PM

Question.

I need the user logged in as the same user in his Windows login (AD account). But i need it for the public part of the site (for the console the login would be the default one).

I tried <authentication mode="Windows"></authentication> <authorization> <deny users="?"/> </authorization> and in my development environment it worked (once, this is weird, in one PC worked, in others PCs i couldnt make it work), i was asked to put my user and password (the same for windows login) and then in User.Identity.Name i had my windows login username.

This approach will work in the production envirnment or i will need to implement all the classes to query the AD?

Regards.