I set up the LDAP and it is working. But it does not seem to limit the AD users to just the ones specified by the root CN ou. For example, I have AD structure as below. If the LDAP root cn is set to OU=USERS, DC=Corp,DC=net, I am supposed to log in only as user1, but in fact I can log in as admin1, which is no good. Is this a bug? Is there any workaround? By the way, the ldap user account used for reading AD is just a member of Domain users group. Thanks.

Corp

---------USERS

............................user1

---------ADMINS

............................admin1

 

Thank you for fast response. Maybe my question is not phrased correctly. In the LDAP setup, my LDAP root CN specifies the Organization Unit "OU1" ( OU=OU1, DC=Corp,DC=net). When login process authenticates using the LDAP query, it should only search users under OU1. It should not search under OU2. I have other application using the LDAP. This is how I understand that it is supposed to work. We have a lot of AD users, We just want a fraction of them to be able to login the portal using the LDAP. So we need to specify the OU. This should be an easy change of the LDAP query. Could you tell me which module / asp page is doing the LDAP authentication? Thanks for your help.

Corp

---------OU1

............................user1

---------OU2

............................admin1

You are probably right. The CN does not seem to be used since after I changed it to a different one, it made no difference. It just authenticates all users of that DC, no matter which OU the user belongs to. Is there any way to fix this in future release? This is a security concern to me. If a site is only for users from one OU, all users from the whole domain will be able to login. We can use the role as a workaround to hide pages from other users, but users can still log in. By the way, is the "LdapHelper.cs" right file to look at? Thanks.

I modified the following method in LdapHelper.cs file and verified that the code is working with rootDN or  OU specified. For AD LDAP, the current code ignores the rootDN setting. Also it does not seem to search the login user in the result. Successful getting adentry does not mean the user is in that OU. In AD, basically any user can read the AD structure. The code does not search the security group in an OU. Need more work to fix that.

=======================================

private static LdapUser ActiveDirectoryLogin(LdapSettings ldapSettings, string uid, string password)

{

bool success = false;

LdapUser user = null;

DirectoryEntry adentry = null;

//Note: Not necessary to check SSL. Default authentication type for .NET 2.0+ is "Secure"

try

{ //add rootDN to limit to certain OU

//adentry = new DirectoryEntry("LDAP://" + ldapSettings.Server, ldapSettings.Domain + "\\" + uid, password);

log.Error("try to connect to ldap server with Server: " + ldapSettings.Server + "; RootDN: " + ldapSettings.RootDN + "; UID=" + uid);

adentry = new DirectoryEntry("LDAP://" + ldapSettings.Server + "/" + ldapSettings.RootDN, ldapSettings.Domain + "\\" + uid, password);

}

catch (System.Runtime.InteropServices.COMException ex)

{

if (log.IsErrorEnabled)

{

log.Error("couldn't connect to ldap server with Server: " + ldapSettings.Server + "; RootDN: " + ldapSettings.RootDN + "; UID=" + uid, ex);

}

}

if (adentry != null)

{

//Bind to the native AdsObject to force authentication.

try

{

object testobj = adentry.NativeObject;

success = true;

}

catch (System.Runtime.InteropServices.COMException ex)

{

if (log.IsErrorEnabled)

{

log.Error("LDAP login failure", ex);

}

success = false;

}

if (success && adentry != null)

{

//check if user exists in OU

DirectorySearcher ds = new DirectorySearcher(adentry);

ds.Filter = "(&(sAMAccountName=" + uid + "))";

SearchResult result = ds.FindOne();

if (result != null)

{

log.Error("successful authentication to ldap server in OU with Server: " + ldapSettings.Server + "; RootDN: " + ldapSettings.RootDN + "; UID=" + uid);

user = new LdapUser(adentry, uid, ldapSettings);

}

else

{

log.Error("failed authentication to ldap server in OU with Server: " + ldapSettings.Server + "; RootDN: " + ldapSettings.RootDN + "; UID=" + uid);

//potentially look in the security group

}

}

}

return user;

}

I tested the code. It solved my issue - Limit login to only users specified in the OU in rootDN (e.g. OU=SubOU1, OU=OU1,DC=Corp,DC=net). I have not done dev work for a while and still learning MojoPortal. So I only rebuilt the mojoPortal.Business project and copied over the "mojoPortal.Business.dll". Using separate configuration is great idea since people may want this done differently. In my case, customer and internal people share same AD domain. So allowing all users to log in is not an option. I will email you the script soon.

So far I am very impressed with MojoPoratl and more importantly your support. I mainly trying to customize it as a BI portal.