In the xamarin.android platform, part of the mailAccount and PassWord using the Bind () method error,but in windows platform is good.why?

sorry,this is error
Novell.Directory.Ldap.LdapException: Invalid Credentials

Is there a way in C# I could get the list of all attribute names in active directory using LDAP.

Thanks
Anil Jain

Hi folks,

Here is my sample code:

[HttpGet("UserInfo")]
public IActionResult Get()
{
     // rest omitted
      while (lsc.hasMore())
      {
           // rest omitted
           while (ienum.MoveNext())
           {
                LdapAttribute attribute = (LdapAttribute)ienum.Current;
		string attributeName = attribute.Name;
		string attributeVal = attribute.StringValue;
		
		if (attributeName == "displayName" || attributeName == "mail")
		{
			//Console.WriteLine(attributeName + ": " + attributeVal); 
			
		}
           }
      }
       conn.Disconnect();
}

I want to display return Ok output like this:
[{ "mail": "[email protected]", "displayName": "abc" },
{ "mail": "[email protected]", "display": "xyz" },
.
.
.
]
I am waiting for your response.

Thanking you in anticipation

I have found a bug that might be with the Mono Framework in that when calling the new SslStream on line 594 in Connection.cs the RemoteCertificateValidationCallback is never called. I am not able to reproduce the error when compiling to .net Core on MacOS but it is reproducible with Mono.

This was working before I upgraded to High Sierra but now is causing the issue. From what i can see it fails during the WaitAndUnwrap method.

I can see in API many usings of type sbyte[].

For example, LdapAttribute.ByteValue returns sbyte[].
I know I can do sbyte[] to byte[] transition and back using SupportClass.ToByteArray or SupportClass.ToSByteArray

I just can't find any reasons for such design.
Probably this is historical reasons (java code port?).

Many base .NET API (BitConverter, MemoryStream, Encoding) uses byte[] as parameter and not sbyte[].
In .net world is more naturally to use byte[] as 'blob' abstraction.
In blob nobody cares about the 'sign' of a byte, so you can safely use byte[] instead of sbyte[] everywhere.

So please refactor this library to use byte[] for blobs.

Version 2.3.7 used

For now all kind of API is totally synchronous, no Task used.
Underlying .net core asynchronous methods decorated with .WaitAndUnwrap() and .ResultAndUnwrap()

API should be refactored to support methods returning Task (ConnectAsync, BindAsync, etc).

I am trying run test but always fail, because cannot connect to server(localhost)

How can I configure LDAP on my PC to run test?

I am using Windows

nuget package for novell.directory.ldap.netstandard version 2.3.7 contains only .dll file and no .xml file with api documentation.

Dll enough for compilation.
Xml comments file is useful then developing in Visual Studio, since in shows annotations on classes, methods, etc.
So now I used to frequently switch between GitHub\VisualStudio - to read method annotations and write code.

So please add .xml comments file in nuget package, this is common best-practice.

Hi,

I am using Asp.net core.

while (lsc.hasMore())
               {

                   LdapEntry nextEntry = null;
                   try
                   {
                       nextEntry = lsc.next();
                   }
                   catch (LdapException e)
                   {
                       Console.WriteLine("Error: " + e.LdapErrorMessage);
                       // Exception is thrown, go for next entry
                       continue;
                   }

                   LdapAttributeSet attributeSet = nextEntry.getAttributeSet();
                   IEnumerator ienum = attributeSet.GetEnumerator();

                   while (ienum.MoveNext())
                   {

                       LdapAttribute attribute = (LdapAttribute)ienum.Current;
                       string attributeName = attribute.Name;

                       string attributeVal = attribute.StringValue;

                       if (!Base64.isLDIFSafe(attributeVal))
                       {
                           byte[] tbyte = SupportClass.ToByteArray(attributeVal);
                           attributeVal = Base64.encode(SupportClass.ToSByteArray(tbyte));
                       }


                       if (attributeName == "thumbnailPhoto")
                       {
                           Console.WriteLine(attributeName + ": " + attributeVal);
                       }

                   }

How to display thumbnail photo in asp.net core page?

I am waiting for your response.

Thanks in Advance!

Hi There. Firstly, thanks so much for your working in getting this running on .net core! I'm looking to use your project in an aspnet core project and am having some challenges performing a search from a web api controller. I'm essentially getting 0 search results back from the search. If I add a Thread.wait(100) after the search I invariably get search results ... am I using search incorrectly? Is there a sync method that I'm missing?

Again, thanks for your work!

Mark

The C# classes are based on 2009 year version and miss many important features.
It would be cool to have an updated C# classes based on the latest 2013 year Java sources.

https://www.novell.com/documentation/developer/jldap/jldapenu/api/
https://www.novell.com/developer/ndk/ldap_classes_for_java.html

The interface "ILdapConnection" is missing the "Disconnect" method signature, which is present on the default implementation "LdapConnection".

This issue is preventing us from declaring the interface as a dependency instead of the implementation, with all the obvious problems (cannot inject, cannot unit test).

Other methods might be missing, I noticed this one since we are using it.

Hi,
I am not able to return (or search on) attrbiutes belonging to a child class in eDirectory, like the custPositionCode below. Any idea why? Are child class attributes supported by this NuGet package?

var personAttributes = new string[] { "cn", "fullName", "custPosition", "custPositionCode" };
LdapSearchResults lsc = ldapConn.Search("ou=Persons,o=MetaCat", LdapConnection.SCOPE_SUB, "(custPositionCode=123456)", personAttributes, false);

i am using below code, passing LDAP address in ldapHost but getting error "Invalid Address- Input string was not in a correct format."

           {
                var cn = new LdapConnection()
                cn.Connect("LDAP://OU=XYZ,DC=XYZ,DC=XY", 389);
                cn.Bind(userName, password);
            }

please help if i am doing something wrong.
is there any special format required in Hostname ?

Note:- i have changed the actual names in ldap.

I'm using this library with .NET CORE 2.0.0 to pull information out of Active Directory. However, I'm running into an issue.

When grabbing the list of objects that are members of a Group, it doesn't seem to return Computer account objects (just User and Group objects).

What I mean is, if "GroupXYZ" has these as members:
JimmyUser
SallyUser
Computer212
Computer010
GroupABC
GroupG21

When I query the Group, I'll get 2 Users and 2 Groups back just fine. However, the 2 Computer account objects wouldn't show up in the return (and nothing blows up or anything).

string[] membersArray = attributeSet.getAttribute("member")?.StringValueArray;

If I use the Active Directory Users and Computers console, I can see that there are indeed a number of Computer objects that are members of the Group. But I'm not able to get them returned by grabbing the "member" attribute on the Group.

Thanks!

Is it possible that this library is not compatible with .NET core 2.0 ?

Hi guys,

First, thank you for porting the code over to .Net core!

I'm having some issues with changing the user's password using the LDAP modify methods. I receive one of the following errors, depends which route I take:

1. Binding as a domain admin and using LdapModification.REPLACE:
   Unwilling To Perform (53) Unwilling To Perform LdapException: Server Message: 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
2. Binding as the user itself and using LdapModification.DELETE and LdapModification.ADD:
   Constraint Violation (19) Constraint Violation LdapException: Server Message: 00002081: AtrErr: DSID-03190FA0, #1: 0: 00002081: DSID-03190FA0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

Code exempts for both routes:

1): Binding as a domain admin:

string UserToChange = "CN=myUser,OU=InSome,OU=OU,DC=domain,DC=local"
LdapAttribute attribute = new LdapAttribute("unicodePwd", "\"myNewStrongPassword\"");
LdapModification modification = new LdapModification(LdapModification.REPLACE, attribute);

 _connection.Modify(UserToChange, modification);

2. Binding as the user:

string UserToChange = "CN=myUser,OU=InSome,OU=OU,DC=domain,DC=local"
LdapModification[]` modifications = new LdapModification[2];
LdapAttribute deletePassword = new LdapAttribute("unicodePwd", "\"myOldPassword\"");
modifications[0] = new LdapModification(LdapModification.DELETE, deletePassword);
LdapAttribute addPassword = new LdapAttribute("unicodePwd", "\"myNewStrongPassword\"");
modifications[1] = new LdapModification(LdapModification.ADD, addPassword);

 _connection.Modify(UserToChange, modifications);

Things I have checked and tried:

1. Convert the password to Unicode (UTF16-LE) byte array and then convert to a base64 string using the code below

string password = "\"myNewStrongPassword\"";
byte[] encodedBytes = Encoding.Unicode.GetBytes(password);
string encodedTxt = Convert.ToBase64String(encodedBytes);

2. Connect with SSL (this is the only way to perform actions on the unicodePwd field
3. Read various implementations on the web, most of them are Java and PHP which I found
4. The password myNewStrongPassword is valid against the AD password policies

If anyone has any idea or could point me in the right direction, that would be great! :-)

Hi Novell,

I am using Netcore. I tried to follow your sample code:
using (var cn = new LdapConnection())
{
..............
cn.Connect("<>", 389);
cn.Bind("<>", "<>");
..............
}
And it goes well 😊.

Now I am looking for search username list from active directory.
Is there any sample code of it?

I am waiting for your response.

Thanks in advance.

Regards,
Adnan Salahuddin

Hello,

So I have been able to login using the library, but try as I may, I can't craft the proper dn to retrieve the user as it seems to use the fullname as cn.
Is there a way to do this easier without searching? Searching seems to hang visual studio btw.
I am basically trying to retrieve a list of groups that the user belongs to to use as claims.

Thank you.

You are not able to change to SearchConstaints in a regular way, because the LdapConnection.SearchConstraints returns a clone of LdapConnection.Constraints.
To change the properties you have to get a clone, modify it and set these object as new value for LdapConnection.Constraints.

var contraints = ldapConnection.SearchConstraints;
contraints.MaxResults = 0;
ldapConnection.Constraints = contraints;

The LdapConnection class does not provide a way to control the timeout. I attempted to do so by changing the Constraints.TimeLimit value but it does not have any effect on the initial connection.

On Windows I'm getting a timeout value of just over 3 seconds but on Linux under Mono 4.8.1 the time out value is over 2 minutes.

This can be improved with a small change to AsyncExtensions.cs in the function WaitAndUnwrap() if you passed in a timeout value (ideally from a new variable in the LdapConnection) and called task.Wait() with that value.

Just want to say thanks for this project. It was a great help.

Hi,

I have copied the sample code from the file to add a user to a group frm the below link but its throwing error:
Novell.Directory.Ldap.NETStandard/original_samples/Samples/AddUserToGroup.cs

The error is: "00000057: LdapErr: DSID-0C090CE0, comment: Error in attribute conversion operation, data 0, v2580\0"

Below are the values used:
int ldapPort = LdapConnection.DEFAULT_PORT;
int ldapVersion = LdapConnection.Ldap_V3;
bool status = false;
LdapConnection conn = new LdapConnection();
String ldapHost = "adcndazr01.wwt-cnd.local";
String loginDN = "WWT-CND\mlekkala";
String password = "password";
System.String userDN = "CN=Ksmith,CN=Users,DC=wwt-cnd,DC=local";
System.String groupDN = "CN=myDeltaGroupTest,CN=Users,DC=wwt-cnd,DC=local";

Can you please help me?

Thanks
Anil Jain

Hello,

first of all, thank you for your work, it's great that somebody finally converted LDAP into .NET Core.

We got some strange issue while sending a lot of requests in short range of time. It looks like some kind of race condition. It throws unhandled ObjectDisposedException and kills whole application (ignoring try-catch block, without meaningful call stack). A reason is, that it is thrown on the other thread.

I had to debug your code, switch to other threads and find out what's going on. There were 3 threads:

1. Main thread - just waiting in Program.Main(), host.Run() (asp.net, nothing interesting)
2. Stuck thread - stuck on line 1353 in class Connection - method Stop(), this.enclosingInstance.reader.Join();
3. Weird thread - call stack shows just System.Private.CoreLib.ni.dll!System.Threading.ExecutionContext.Run(...) and nothing more

Full exception:

{System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'System.Net.Sockets.NetworkStream'.
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.IO.Stream.ReadByte()
   at Novell.Directory.Ldap.Asn1.Asn1Identifier..ctor(Stream in_Renamed) in C:\Users\CZ010158\Desktop\KM\External\Novell.Directory.Ldap.NETStandard\Novell.Directory.Ldap.NETStandard\Asn1\Asn1Identifier.cs:line 250
   at Novell.Directory.Ldap.Connection.ReaderThread.Run() in C:\Users\CZ010158\Desktop\KM\External\Novell.Directory.Ldap.NETStandard\Novell.Directory.Ldap.NETStandard\Connection.cs:line 1389
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)}

After debugging I've found out that exception is thrown on line 250 in class Asn1Identifier - constructor - int r = in_Renamed.ReadByte();

Pull request: #3
We've fixed it by checking if the stream is already disposed and then ignore it. Don't know if it is the correct solution. Please review pull request.

UPDATE
It seems that it didn't help. It just reduced the number of crashes, but it still sometimes throws ObjectDisposedException (even when there is explicit try-catch block).
Temporary workaround is to have just one LdapConnection instance and use it in the whole application (all communication is synchronous).

@Sebosek
@Marfusios

When setting connection.SecureSocketLayer = true; calling connection.Bind(...) throws a NullReferenceException.

• HResult: -2147467261
• _xcode: -532462766
• Stacktrace:

at Novell.Directory.Ldap.Connection.Destroy(String reason, Int32 semaphoreId, InterThreadException notifyUser)

at Novell.Directory.Ldap.Connection.destroyClone()

at Novell.Directory.Ldap.LdapConnection.Dispose(Boolean isDisposing)

Hi, I have found another problem that prevents testability of your library.

Types returned from methods in the ILdapConnection interface, such as LdapResponseQueue and others have only an internal constructor.

When creating a mock of ILdapConnection for testing purposes it's impossible to setup behaviour for such methods, as there's no way to construct the returned type.

I am willing to work on this and send you a pull request if you agree to fix this.

Any idea on this https://stackoverflow.com/questions/48285865/change-password-not-taking-effect-with-novell-ldap-modification-for-asp-net-core

Where can I find an example for connecting to eDirectory over SSL? I switched ports and set SecureSocketLayer to true. When I open the connection an exception occurs.

Hello! How work sample VerifyPassword ? For example, my password is "xsWxPoF0 * 2%", I enter a known bad password and it's successful. What does it mean ?

I used the following code to create a new user in active directory. From this, the new user is created in active directory without any error. But, I could not work with that new user using its password, here i am set the password using "userPassword" attribute.
Is this correct way to set password for user using "userPassword" attribute or please guide me the correct workflow to achieve this?

LdapAttributeSet attributeSet = new LdapAttributeSet();
attributeSet.Add(new LdapAttribute("objectclass", "user"));
attributeSet.Add(new LdapAttribute("sAMAccountName", "myuser"));
attributeSet.Add(new LdapAttribute("userPRincipalName", "myuser"));
attributeSet.Add(new LdapAttribute("userAccountControl", (66080).ToString()));
attributeSet.Add(new LdapAttribute("userPassword", "mypassword"));

string dn = "CN=myuser,CN=Users,DC=mydomain,DC=com";
LdapEntry newEntry = new LdapEntry(dn, attributeSet);

LdapConnection ldapConn = new LdapConnection();
ldapConn.Connect(ldapHost, 369);
ldapConn.Bind(loginDN, password);
ldapConn.Add(newEntry);

I get this error when trying to connect to an LDAP server with ssl enabled.
I am using the Version 2.3.5 provided by nuget.

System.NullReferenceException wurde nicht behandelt.
Message: Ein Ausnahmefehler des Typs "System.NullReferenceException" ist in System.Private.CoreLib.ni.dll aufgetreten.
Zusätzliche Informationen: Object reference not set to an instance of an object.

Please check the example for authenticating users. I believe cn.Bind() actually authenticates application credentials, not user credentials.

cn.Bind("<>", "<>");

The code for validating user credentials should be:

var passwordAttr = new LdapAttribute("userPassword", "user's secret password");
var passwordMatches = cn.Compare("User's DN", passwordAttr);

See the following link for reference.
ftp://sdk.provo.novell.com/ndk/ldapcsharp/Samples/Samples/VerifyPassword.cs

Hello!

Thank you for your library.
My code:

using (var conn = new LdapConnection())
{
    conn.Connect("192.168.55.111", 389);
    conn.Bind("[email protected]", "password");
}

This is work. But could I check password without domain? For example
conn.Bind("balkarov", "password");

PS: in c I can use ContextType.Domain

I try this
conn.Bind("CN=balkarov,OU=Company,DC=Some,DC=Office", "password");
but this does not work

I am using .Net Core 2.0 and Novell.Directory.Ldap.NETStandard 2.3.8 and used the following code to get User resource attributes from active directory.
I am getting values for all attributes except for objectGUID where I am getting some garbage value.

LdapEntry userEntry = ldapConn.Read(dn);
LdapAttribute uid = userEntry?.getAttribute("objectGUID");

Output:
{LdapAttribute: {type='objectGUID', value='�� ���E�1���Ѕv'}}

There are no issues if I use LDAP as a backend entity.

When I used below code to get Guid, I got following error.
new Guid(SupportClass.ToByteArray(userEntry.getAttribute("objectGuid").ByteValue)).ToString()

Error:
'new Guid(SupportClass.ToByteArray(userEntry.getAttribute("objectGuid").ByteValue)).ToString()' threw an exception of type 'System.ArgumentException'
"Byte array for GUID must be exactly 16 bytes long.\r\nParameter name: b"

If you try to avoid storing admin credentials, can you still use this library to connect and perform admin operations by leveraging process credentials implicitly?

I'm trying to use this in an ASP.net core 1.1 application, and am getting an exception whenever I try to bind (details are in the attached file). It's trying to load System.Core and failing.

The exception is thrown on the Bind statement.

LdapException.txt

LdapCodeSnippet.txt

First off, thanks for the library! It's been really useful in the .NET Core project I'm currently working on.

Secondly, would it be possible to get a new sample added that shows how to (quickly/efficiently) return a large number of records in an LDAP search?

I can get 1000 records no problem of course, but I'm struggling with getting 80,000+ records from Active Directory (when it does work, it seems to take forever to process). What am I missing? I'm still fairly new to C# and .NET; so maybe it's something simple...? A sample code snippet would be extremely helpful.

    public void LargeRecordSearchTest()
    {
        string searchBase = "MySearchbaseInfo";
        bool searchTypes = false;
        int resultsCount = 0;
        string searchFilter = "(&(objectCategory=computer)(operatingSystem=Windows*))";
        string[] searchAttributes = {
                "distinguishedName",
                "operatingSystem"
            };
        ConnectToLDAP();
        LdapSearchConstraints ldapSearchConstraints = _ldapConnection.SearchConstraints;
        //ldapSearchConstraints.MaxResults = 0;
        LdapSearchResults ldapSearchResults = _ldapConnection.Search(
            searchBase,
            LdapConnection.SCOPE_SUB,
            searchFilter,
            searchAttributes,
            searchTypes,
            ldapSearchConstraints
        );
        while (ldapSearchResults.hasMore())
        {
            resultsCount++;
        }
        //_logger.LogInformation($"Number of results returned: {resultsCount}");
        DisconnectFromLDAP();
    }

I'm working to connect to an Azure Active Directory Domain Services test configuration. It uses a self signed SSL cert for use with TLS, but because of the way AADDS works, the hostname is not the same as the domain name, so the cert doesn't match the domain name, and fails.

On the command line, I can make this work using ldapsearch by setting TLS_REQCERT=allow. According to the help, that means:

The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

Is there a way to tell StartTLS to ignore a bad certificate like this? I couldn't find anything in the source.

Error MSB6006 "csc.exe" return with code -532462766. AD_CHECK_NC10
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\Microsoft.CSharp.Core.targets 71

Using VS 2017, Have added nuget package. It doesnt compiles.
AD_CHECK_NC10.zip

I was looking through the source code for LdapBindRequest and RfcBindRequest, and it doesn't appear to be any way to use the currently logged in Windows User for authentication in the case of connecting to an Active Directory server.

Is there any possibility of support this scenario? Ideally, I would like to run my .NET Core service as a specific user and let the that user's identity be used for the Ldap "bind" rather than storing username and password in my application's configuration.

I see there is SaslBindProperties, however it's a readonly property and initialized with null.

Is the library support binding of "GSSAPI"

Thanks in advance
w.k.

Hello,

how can I rewrite this password verification?

https://stackoverflow.com/questions/8949501/why-does-active-directory-validate-last-password/8951536#8951536

Lot of object are different from full .NET Framework. :)

Thank you.

Not neccessary a issue, but want to ask: memberof have a list of groups that the member belongs to. How to get a list? I used the following logic , but only get the first one.

Thanks,

LdapAttribute attribute = (LdapAttribute)ienum.Current;
string attributeName = attribute.Name;
string attributeVal = attribute.StringValue;
if (!Base64.isLDIFSafe(attributeVal))
{
byte[] tbyte = SupportClass.ToByteArray(attributeVal);
attributeVal = Base64.encode(SupportClass.ToSByteArray(tbyte));
}

I can query AD and get a list of LdapSearchResults but when I try to get attributes I only get DN. Is there a way to get other attributes, such as sAMAcountName, without having to bind to the user?

i follow the https://nicolas.guelpa.me/blog/2017/02/15/dotnet-core-ldap-authentication.html link to write the code below, the LDAP connection is ok, but when call the var user = lsc.next(); it will throw exception. My purpose is to get user group according to one user
/***************** code start**************/
conn.connect,..

string searchFilter = "(&(objectClass =user)(objectClass=person)(sAMAccountName={0}))";
LdapSearchResults lsc = conn.Search("DC=svc,DC=accenture,DC=com",
LdapConnection.SCOPE_SUB,
string.Format(searchFilter, userName),
new[] { MemberOfAttribute, DisplayNameAttribute, SAMAccountNameAttribute },
false);
try
{
var user = lsc.next();
if (user != null)
{
if (conn.Bound)
{
var temp = new AppUser
{
DisplayName = user.getAttribute(DisplayNameAttribute).StringValue,
Username = user.getAttribute(SAMAccountNameAttribute).StringValue,
IsAdmin = user.getAttribute(MemberOfAttribute).StringValueArray.Contains("admin")
};
}
}
}
catch (LdapException ex)
{

        }

/*********** code end *******************
exception below

e.g.

LdapSearchResults queue = cn.Search("ou=base,dc=example,dc=com", LdapConnection.SCOPE_BASE, null, null, false);
Console.WriteLine(queue.Count);
Thread.Sleep(1000);
Console.WriteLine(queue.Count);

will give different numbers for the count. The intellisense docs say:

Synchronously performs the search specified by the parameters.

Is there any way of waiting until it is done before returning?

I have existing S.DS.Protocols code that I am migrating to .NET Core, and I can connect fine to my LDAP servers that require username/pwd and everything works as expected.

Now I also have servers that require certificate authentication

Here is the existing code:

var cert = new X509Certificate(keystoreStream.ToArray(), keyStorePassword, X509KeyStorageFlags.MachineKeySet);
var ldapDirectoryIdentifier = new LdapDirectoryIdentifier(hostName, portNumber, true, false);
ldapConnection = new LdapConnection(ldapDirectoryIdentifier, null, AuthType.External);
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.ClientCertificates.Add(cert);
ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((con, cer) => true);
ldapConnection.SessionOptions.ProtocolVersion = 3;
ldapConnection.Bind();

How can I do the identical binding using the Novell library? I don't see a way to support the external auth type or to bind without a username/password.

This library worked great on MacOS before High Sierra but now it fails to connect. There are no exceptions being thrown, it just doesn't connect.

Hello,

is it possible to get all groups from a specific user?
Something like:

using (var cn = new LdapConnection())

 {
     // connect
     cn.Connect("domain", 389);
    // bind with an username and password
     // this how you can verify the password of an user
     cn.Bind("user", "pw");
     var usergroups = cn.GetUserGroups();
 }

I have tested the samples from this project, but i didn't find a solution.

Thanks for your work on this library.