how to secure password during ldap connection - c#

I have developed an mvc application where I am using ldap authendication to validate the user.
I need some help to secure my password during ldap connection. I have tried Securesocketlayer=true but I guess it need certificate. Its giving an error:
handshake failure ssl.
Here is my code. I am getting a comment from my security team User credentials are sent in clear text over the network for authentication.
Can anyone help me on how to achieve this in ldap?
Here is my code:
using LdapConnection = Novell.Directory.Ldap.LdapConnection;
using LdapException = Novell.Directory.Ldap.LdapException;
var ldapHost = WebConfigurationManager.AppSettings["LDAP_HOST"];
var ldapPort = WebConfigurationManager.AppSettings["LDAP_PORT"];
var connection = new LdapConnection {SecureSocketLayer = true};
connection.Connect(ldapHost, Convert.ToInt32(ldapPort));
sb = new StringBuilder();
sb.Append(ldapLocation).Append(userName).Append(",").Append(ldapLocationIndia);
connection.Bind(LdapConnection.Ldap_V3, sb.ToString(), password);
Thanks in advance

Related

autenticating ldap for web applications

please take a few minutes and read my question completely. here is my problem :
I want to connect to LDAP server by C# for a web application, means clients connecting to the asp.net server.
*- The ldap server and application server are not the same.
**- They are not in a same domain.
I have been trying 4 different ways and could not solve the problem by none of them.
1-
var credentials = new NetworkCredential(username, password);
var serverId = new LdapDirectoryIdentifier("domain.net");
var conn = new LdapConnection(serverId, credentials);
conn.Bind();
2-
System.DirectoryServices.DirectoryEntry entry = new System.DirectoryServices.DirectoryEntry("LDAP://domain.net/DC=domain,DC=net");
entry.Username = "username";
entry.Password = "password";
System.DirectoryServices.DirectorySearcher searcher = new System.DirectoryServices.DirectorySearcher(entry);
searcher.Filter = "(&(objectClass=user))";
var results = searcher.FindAll();
the problem with these 2 ways is that the user must have an access to the server for login and we know that there is only admin of the system who has the permission.
3-
PrincipalContext pc = new PrincipalContext(ContextType.Domain, "domain.net");
var ret = pc.ValidateCredentials(model.UserName, model.Password);
the problem is the server must be in the domain of ldap server. we have this limitation !!
4-
https://auth0.com/blog/using-ldap-with-c-sharp/
public bool validateUser(string username, string password)
{
var sha1 = new SHA1Managed();
var digest = Convert.ToBase64String(sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password)));
var request = new CompareRequest(string.Format("uid={0},ou=users,dc=example,dc=com", username),
"userPassword", "{SHA}" + digest);
var response = (CompareResponse)connection.SendRequest(request);
return response.ResultCode == ResultCode.CompareTrue;
}
this code does not return any thing. it will be very helpful if there is a query to compare usernames and passwords. this code seems to use this way but there are different types of hash algorithms. I tried to use SHA1 and MD5, and userPassword , unicodePwd attribute. but the return is empty all the time.
is it the best solution to put both servers in a same domain? any other solution , Thank you so much.
Method 1 is the simplest way. If that doesn't work, nothing will. So you will have to change your configuration to make it work.
When you say:
the user must have an access to the server for login and we know that there is only admin of the system who has the permission.
What do you mean? Are you explicitly denying login rights to the domain controllers? Are there network issues between the computer this is running on and the domain controller (can you hit port 389 on the domain controller(s))?
Update: PrincipalContext.ValidateCredentials just does an LDAP bind in behind - it uses LdapConnection. You can see the source code here. The probable reason why ValidateCredentials is working on a domain machine and not otherwise is because it uses Kerberos authentication by default, which will only work from a domain computer.
The same is true with LdapConnection. So try setting the authentication mode. For example, try Basic
var credentials = new NetworkCredential(username, password);
var serverId = new LdapDirectoryIdentifier("domain.net");
var conn = new LdapConnection(serverId, credentials, AuthType.Basic);
conn.Bind();
Or look at the available values and try what works.

RabbitMQ + C# + SSL

I'm trying to use C# to get RabbitMQ 3.6.2 to use SSL/TLS on Windows 7 against Erlang 18.0. I'm running into errors when I'm enabling SSL in my C# code. I have gone through the steps to set up SSL/TLS here. I've also gone through the [troubleshooting steps][2] which show turn up successful (except I couldn't do the stunnel step due to lack of knowledge of stunnel). Here's my C# code trying to connect to RabbitMQ:
var factory = new ConnectionFactory()
{
// NOTE: guest username ONLY works with HostName "localhost"!
//HostName = Environment.MachineName,
HostName = "localhost",
UserName = "guest",
Password = "guest",
};
// Without this line, RabbitMQ.log shows error: "SSL: hello: tls_handshake.erl:174:Fatal error: protocol version"
// When I add this line to go to TLS 1.2, .NET throws an exception: The remote certificate is invalid according to the validation procedure.
// https://stackoverflow.com/questions/9983265/the-remote-certificate-is-invalid-according-to-the-validation-procedure:
// Walked through this tutorial to add the client certificate as a Windows Trusted Root Certificate: http://www.sqlservermart.com/HowTo/Windows_Import_Certificate.aspx
factory.Ssl.Version = SslProtocols.Tls12;
factory.Ssl.ServerName = "localhost"; //System.Net.Dns.GetHostName();
factory.Ssl.CertPath = #"C:\OpenSSL-Win64\client\keycert.p12";
factory.Ssl.CertPassphrase = "Re$sp3cMyS3curi1ae!";
factory.Ssl.Enabled = true;
factory.Port = 5671;
// Error: "The remote certificate is invalid according to the validation procedure."
using (var connection = factory.CreateConnection())
{
}
There's a StackOverflow post regarding the "The remote certificate is invalid according to the validation procedure." exception, but the hack fix doesn't seem to take effect as the callback method suggested is never called. I think that I've added my certificate generated via OpenSSL to the Windows Trusted Root Certification Authorities certificates list for local computer. So I'm at a loss here. Any ideas on how to proceed?
Edit: Here's the final working code for anyone struggling to implement SSL on Rabbit:
var factory = new ConnectionFactory();
factory.HostName = ConfigurationManager.AppSettings["rabbitmqHostName"];
factory.AuthMechanisms = new AuthMechanismFactory[] { new ExternalMechanismFactory() };
// Note: This should NEVER be "localhost"
factory.Ssl.ServerName = ConfigurationManager.AppSettings["rabbitmqServerName"];
// Path to my .p12 file.
factory.Ssl.CertPath = ConfigurationManager.AppSettings["certificateFilePath"];
// Passphrase for the certificate file - set through OpenSSL
factory.Ssl.CertPassphrase = ConfigurationManager.AppSettings["certificatePassphrase"];
factory.Ssl.Enabled = true;
// Make sure TLS 1.2 is supported & enabled by your operating system
factory.Ssl.Version = SslProtocols.Tls12;
// This is the default RabbitMQ secure port
factory.Port = 5671;
factory.VirtualHost = "/";
// Standard RabbitMQ authentication (if not using ExternalAuthenticationFactory)
//factory.UserName = ConfigurationManager.AppSettings["rabbitmqUsername"];
//factory.Password = ConfigurationManager.AppSettings["rabbitmqPassword"];
using (var connection = factory.CreateConnection())
{
using (var channel = connection.CreateModel())
{
// publish some messages...
}
}
Thanks,
Andy
Usual problem is mismatch between what you provide in Ssl.ServerName and host SSL certificate was issued for.
Also note that server-side SSL (encrypted connection between your client and server) and client-side authentication with certificate (you provide server with information which confirms that you have certificate it expects) are two different things. By providing Ssl.CertPath you intent to authorize at server using this certificate, which might or might not be what you want.
My problem was related to using self signed certificates. I had to add the SslOption AcceptablePolicyErrors = SslPolicyErrors.RemoteCertificateNameMismatch |
SslPolicyErrors.RemoteCertificateChainErrors
In the example connection factory creation code sslEnabled is true.
new ConnectionFactory()
{
Uri = uri,
ClientProvidedName = clientProvidedName,
AutomaticRecoveryEnabled = true,
Ssl = new SslOption(){
Enabled = sslEnabled,
AcceptablePolicyErrors = SslPolicyErrors.RemoteCertificateNameMismatch |
SslPolicyErrors.RemoteCertificateChainErrors} ,
NetworkRecoveryInterval = TimeSpan.FromSeconds(networkRecoveryIntervalSecs)
}
It can be done as simple as this
const string RabbitMqServerHostname = "myserver.northeurope.cloudapp.azure.com";
var factory = new ConnectionFactory()
{
HostName = RabbitMqServerHostname,
UserName = "myuser",
Password = "mypassword",
// The settings below turn on SSL
Port = 5671,
Ssl = new SslOption
{
Enabled = true,
ServerName = RabbitMqServerHostname
}
};
I just went through a similar frustrating exercise with the .NET 4.5 client (v. 3.6.6) and the RabbitMQ broker/service on Windows (v. 3.6.6, Erlang 19.2).
The correct combination of RabbitMQ config file options and client settings is not intuitive and the client factory object has changed since the documentation was last updated. Now there's an SslOption class.
Are you still having problems? Perhaps I can help you.
I've resolved the problem changing only the Ssl.ServerName to the Common Name (CN) of the issued certificate, because it was different of the server which hosts the service.
factory.Ssl.ServerName = "[certificate cn]";
I had tried with python (because the provider used that language) and it worked, I suppose then that Python doesn't validate that features of the certificates (it's more insecure?).

Does a password need encoding when client authenticates using OpenPop?

I'm using openpop to connect to gmail pop server.
This is the code (very simple)
using (var client = new Pop3Client())
{
var username = mailProperties.UserId;
client.Connect(mailProperties.Server, mailProperties.Port, mailProperties.UseSsl);
client.Authenticate(username, mailProperties.Password);
}
Most of the time it works. But if the password contains "./", the authentication fails and I have an Invalid login exception.
Do I have to encode the password or something? I tried Uri.EscapeDataString but the result is the same.
I verified the password and it's the good one ;)
I forgot to activate the pop access in my gmail option for this account.
The problem is now solved.

Obtain Network Credentials from Current User in Windows Authentication Application

I was wondering whether it was possible to obtain the current user object and get their credentials so that I can pass them along to a NetworkCredential object which I am using to connect to my AX .NET Business Connector. As, at the moment I'm having to specify it connect as a specific user which I set when I instantiate a NetworkCredential object:
private NetworkCredential nc = new NetworkCredential("myUser", "myPassword", "myDomain");
I was hoping to do something like: private NetworkCredential nc = (NetworkCredential)HttpContext.User; but obviously that won't work...
That way, it's easier to keep track of which user has created a sales order for example, as at the moment everything gets created by the user I have specified..
CredentialCache.DefaultNetworkCredentials?
The credentials returned by DefaultNetworkCredentials represents the authentication credentials for the current security context in which the application is running. For a client-side application, these are usually the Windows credentials (user name, password, and domain) of the user running the application.
I don't fully understand your question, but is your call coming from ASP.NET that you require the credentials? You could attempt:
Uri uri = new Uri("http://tempuri.org/");
ICredentials credentials = CredentialCache.DefaultCredentials;
NetworkCredential credential = credentials.GetCredential(uri, "Basic");
Assuming your user has already authenticated via a Membership Provider.
A combination of the above worked great for me to resolve the authentication.
var credentials = new NetworkCredential();
ICredentials credent = CredentialCache.DefaultNetworkCredentials;
credentials = (NetworkCredential)credent;
var serverId = new LdapDirectoryIdentifier(GlobalVariables.LDAPServer);
LdapConnection connection = new LdapConnection(serverId, credentials);
connection.Bind();

Cannot retrieve perforce clients

I am trying to develop a C# based build tool using p4api.net apis. I am new to perforce p4api.net. I followed the instructions given in p4api.net library downloaded from their site, but was never successful in running a basic command on perforce. I am attaching piece of code which is supposed to fetch clients from Perforce. Please correct it, if am wrong. The code throws a run time error (unhandled expection) while executing GetClients().
static void Main(string[] args)
{
string uri = "perforce:1666";
string user = "User1";
Server server = new Server(new ServerAddress(uri));
Repository rep = new Repository(server);
Connection con = rep.Connection;
con.UserName = user;
con.Client = new Client();
// connect to the server
con.Connect(null);
// run the command against the current repository
IList<Client> changes = rep.GetClients(null);
}
Any useful guide to perforce C# documents/examples would be appreciated.
Thanks,
Madhu
tickets are granted to the user by p4 login. If you login with P4V or another client the ticket should still be valid until expiration unless you explicitly p4 logout. You can create this credential in P4API.NET after you connect and before you run a command:
// connect to the server
con.Connect(null);
string password = "pw";
Credential cred = con.Login(password, null, null);
con.Credential = cred;
Are you sure that the exception is coming from GetClients? I ran your code successfully, but when I changed uri to a non-existent server:port I get the unhandled exception at con.Connect(null).
Confirm that you do have access to a perforce:1666 server with User1 and that User1 does not require a password on that server.

Categories