5

We use code similar to the following to setup a secure connection to an LDAP directory:

using (LdapConnection con = new LdapConnection(new LdapDirectoryIdentifier(ConfigReader.ADServer, 636)))
{
    con.SessionOptions.SecureSocketLayer = true;
    con.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
    con.Credential = new NetworkCredential(UserDN, UserPwd);
    con.AuthType = AuthType.Basic;
    con.Bind();
}

During testing, we noticed the following expected behavior:

  • Valid UserDN and valid UserPwd results in successful Bind()
  • Invalid UserDN with a valid UserPwd results in Bind() error (The supplied credential is invalid.)
  • Invalid UserDN with a Invalid (non-blank) UserPwd results in Bind() error (The supplied credential is invalid.)

Unfortunately, we also noticed the following unexpected behavior:

  • Valid UserDN and blank UserPwd results in successful Bind()
  • Invalid UserDN and blank UserPwd results in successful Bind()

Please advise why the LDAP connection is successful with a blank password.
Thanks,

Improve this question
5
  • Is your LDAP server set to allow anonymous binds? See this link, technet.microsoft.com/en-us/library/cc816788(v=ws.10).aspx Commented Aug 22, 2013 at 15:38
  • Thanks for the idea ... but our network administrator confirmed that anonymous LDAP bindings have not been enabled. Commented Aug 26, 2013 at 14:08
  • 2
    Based on our research, the ability to successfully bind to LDAP without a password (even when the “allow anonymous LDAP bind” setting is disabled) appears to be an LDAP “feature”. As such, and in hindsight as a general good practice, we implemented a simple check to programmatically handle the blank password condition rather than relying on LDAPConnection. Commented Aug 28, 2013 at 18:22
  • @Seymour @gpmurthy could you help by putting the format for the connection string as well username and password an example would do. I am in same situation by am sure my connection string is incorrect. I am trying to connect over ssl usin LDAP://192.168.1.100:389/ou=People,dc=company,dc=com do i need to specify port number ? do i need to prefix with ldap ? Commented Oct 26, 2015 at 13:13
  • I think a best way would be to return con.Bound property that is correctly set in cases with blank password. Commented Jul 6, 2018 at 13:25

1 Answer 1

Reset to default
6

It seems like the connection is bound but is not authenticated till a actual request is sent.

Consider the following to send the request after binding the connection...

 using (LdapConnection con = new LdapConnection(new LdapDirectoryIdentifier(ConfigReader.ADServer, 636)))
{
    con.SessionOptions.SecureSocketLayer = true;
    con.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
    con.Credential = new NetworkCredential(UserDN, UserPwd);
    con.AuthType = AuthType.Basic;
    con.Bind();
    **con.SendRequest(new SearchRequest(targetLocation, "(objectClass=*)", System.DirectoryServices.Protocols.SearchScope.Subtree, null));**
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.