Skip to content

Latest commit

 

History

History
36 lines (25 loc) · 3.51 KB

README.md

File metadata and controls

36 lines (25 loc) · 3.51 KB

ASP.NET Core LDAP Authentication Middleware

Build Status Visus.LdapAuthenticationVersion Visus.DirectoryAuthenticationVersion

This project implements middleware for ASP.NET Core that enables authenticating users against LDAP directories like Active Directory via an LDAP bind.

There are two flavours, the first being Visus.LdapAuthentication, which uses Novell's C#-only LDAP library rather than the Windows-only DirectoryServices and is therefore running on Windows and Linux.

The second, Visus.DirectoryAuthentication, is a drop-in replacement using System.DirectorySerices.Protocols, which is a platform-independent implementation of LDAP services since .NET 5, but requires native LDAP libraries for P/Invoke being installed.

Built-in user objects are automatically mapped to Active Directory attributes based on code annotations and include commonly used claims like user name, actual names, e-mail addresses and group memberships. If necessary, you can also provide your own user object that uses a completely different mapping of LDAP attributes to claims.

Usage

  1. Using Visus.LdapAuthentication
  2. Using Visus.DirectoryAuthentication
  3. Differences between LdapAuthentication and DirectoryAuthentication

Using Visus.LdapAuthentication

See README for Visus.LdapAuthentication.

Using Visus.DirectoryAuthentication

See README for Visus.DirectoryAuthentication

Differences between LdapAuthentication and DirectoryAuthentication

Warning We do not have Visus.DirectoryAuthentication in production yet, so it has only been tested using artificial test cases.

Visus.DirectoryAuthentication and Visus.LdapAuthentication can mostly be used interchangeably with a few exceptions:

  1. System.DirectorySerices.Protocols requires native LDAP libraries for P/Invoke being installed. This should be the case for all Windows platforms by default, but on Linux, libldap must be installed.
  2. The ILdapOptions.Timeout property is a System.TimeSpan rather than a number representing milliseconds. When configuring from JSON, use a string in the format "hh:mm:ss".
  3. ILdapOptions.RootCaThumbprint is not supported. You can, however, check the immediate issuer of the server's certificate using ILdapOptions.ServerCertificateIssuer.
  4. ILdapOptions does not provide the legacy string-based SearchBase option, but must be configured with the IDictionary<string, System.DirectoryServices.Protocols.SearchScope> variant. This is a breaking change compared to version 0.4.0!.
  5. TODO: Bind using Windows credentials.