Novell LDAP C# - Novell.Directory.Ldap - 有人让它工作吗?
我正在尝试使用 Novell 发布的库 (Novell.Directory.Ldap)。 版本 2.1.10。
到目前为止我所做的:
我测试了与应用程序的连接 (LdapBrowser)并且它正在工作,所以它不是通信问题。
它是在 Mono 中编译的,但我正在使用 Visual Studio。 因此,使用源代码创建了一个项目。 我还引用了 Mono.Security,因为该项目依赖于它。
我在连接的错误捕获部分注释了一个调用 (freeWriteSemaphore(semId); ),因为它抛出了更多异常。 我检查了该调用做了什么,它只是一个错误跟踪机制。
我按照 Novell 文档 (http://www. novell.com/coolsolutions/feature/11204.html)。
// 创建 LdapConnection 实例
LdapConnection ldapConn= new LdapConnection(); ldapConn.SecureSocketLayer = ldapPort == 636;
//Connect函数会创建一个到服务器的socket连接
ldapConn.Connect(ldapHost,ldapPort);
//Bind函数将用户对象Credentials绑定到服务器
ldapConn.Bind(userDN,userPasswd);
现在它在 Bind() 函数处崩溃。 我收到错误 91。
那么,有人使用过这个库并看到它工作吗? 如果是这样,您做了什么才能使它工作,是否需要一些特殊配置? 有没有办法让它在没有 Mono 的 .NET 环境中工作(我可以引用 Mono dll,但我不希望它安装在服务器上)?
(更新) 连接位于端口 636 上,因此使用 SSL。 我使用 WireShark 检查了通信情况,并与从 LDAP 浏览器获得的信息进行了比较。 我发现传送 SSL 证书的步骤不是由 LDAP 库完成的。 那么,让它发挥应有作用的最佳方法是什么?
(更新)我检查了文档,它表明它不支持 SSL。 http://www.novell.com/coolsolutions/feature/11204.html
通过 LDAP 服务器进行身份验证 LdapConnection.Bind()。 我们只支持 明文身份验证。 SSL/TLS 尚未添加支持。
但该文档的日期是 2004 年,此后进行了许多更新。 库中有一个参数可以定义连接是否使用 SSL。 所以现在我很困惑。
(更新)找到了更新的文档:http://developer.novell.com/documentation//ldapcsharp/index.html?page=/documentation//ldapcsharp/cnet/data/bqwa5p0.html。 建立 SSL 连接的方式是在服务器上注册证书。 问题是我所做的并没有绑定到特定的Novell服务器,因此必须动态获取证书。
I'm trying to use the library released by Novell (Novell.Directory.Ldap). Version 2.1.10.
What I've done so far:
I tested the connection with an application (LdapBrowser) and it's working, so its not a communication problem.
It's compiled in Mono, but I'm working with Visual Studio. So created a project with the sources. I also included a reference to Mono.Security, because the project depended on it.
I commented a call (freeWriteSemaphore(semId); ) in the error catching part of the connection, because it was throwing more exceptions. I checked what that call did, and its just a error tracing mechanism.
I followed the basics steps provided in the documentation by Novell (http://www.novell.com/coolsolutions/feature/11204.html).
// Creating an LdapConnection instance
LdapConnection ldapConn= new LdapConnection();
ldapConn.SecureSocketLayer = ldapPort == 636;//Connect function will create a socket connection to the server
ldapConn.Connect(ldapHost,ldapPort);
//Bind function will Bind the user object Credentials to the Server
ldapConn.Bind(userDN,userPasswd);
Right now it's crashing at the Bind() function. I get the error 91.
So, has someone ever used this library and seen it work? If so, what did you do to make it work, is there some special configuration needed? Is there a way to make it work in .NET environment without Mono (I can have references to Mono dlls, but I don't want it to be installed on the server)?
(UPDATE)
The connection is on port 636, thus using SSL. I checked with WireShark the communication and compared with what I get from LDAP Browser. I've seen that the step where the SSL certicate is communicated, is not done by the LDAP library. So, what is the best way to make it do what its supposed to?
(UPDATE) I checked the documentation and it's indicating that it doesn't support SSL. http://www.novell.com/coolsolutions/feature/11204.html
Authenticate to the LDAP server with
LdapConnection.Bind(). We support only
cleartext authentication. SSL/TLS
support is yet to be added.
But the documentation date from 2004, and since then, many updates have been made. And there is a parameter in the library to define if the connection uses SSL. So now I'm confused.
(UPDATE) Found a more up-to-date documentation : http://developer.novell.com/documentation//ldapcsharp/index.html?page=/documentation//ldapcsharp/cnet/data/bqwa5p0.html. The way the SSL connection is made, is by registering the certificate on the server. The problem is that what I'm doing is not bound to a specific Novell server, so the certificate must be obtained dynamically.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
我来寻找类似问题的解决方案。 当使用 Novell 网站上的相同代码时,我的绑定命令也会失败。 对我有用的解决方案是添加动态证书验证回调。 您可以在此处阅读相关内容。
I came looking for a solution to a similar problem. My bind command would fail as well while using the same code from Novell's website. The solution that worked for me was adding a dynamic Certificate Validation Call back. You can read about it here.
UserDefinedServerCertValidationDelegate 已过时,因此如果是无效 ssl 证书的问题,您可以通过这种方式跳过证书验证:
但是,您应该检查忽略证书是否是您的应用程序的安全解决方案。
The UserDefinedServerCertValidationDelegate is obsolete, so if it is an issue with invalid ssl certificates, you can skip the certificatevalidaion this way:
You should however review if ignoring the certificate is a secure solution for your application.
91 是“无法连接”。 尝试将服务器设置为“ldap://xxxx”格式,检查 userDN 设置是否正确(包含域等)。
我经常使用 WireShark 来查看网络级别发生的情况(它支持 LDAP 协议)。
91 is "cannot connect". Try to put the server in "ldap://x.x.x.x" format, check that userDN is set properly (with domain etc).
I am often using WireShark to see what is going on at the network level (it is aware of LDAP protocol).
我终于找到了一种方法来完成这项工作。
首先,这些帖子帮助我走上了正确的道路: http://directoryprogramming.net/forums/ thread/788.aspx
其次,我获得了 Novell LDAP 库的编译 dll 并使用了 Mono.Security.Dll。
解决方案:
我在代码中添加了这个函数
并且我在绑定过程中使用了它
关键要素是使用SSL处理程序动态获取证书,并使用X509StoreManager.LocalMachine以便在网站运行时能够保存和获取证书。
I finally found a way to make this work.
First, theses posts helped me get on the right track : http://directoryprogramming.net/forums/thread/788.aspx
Second, I got a compiled dll of the Novell LDAP Library and used the Mono.Security.Dll.
The solution:
I added this function to the code
And i used it in the binding process
The key elements are using the SSL Handler to dynamically obtain the Certificate, and using X509StoreManager.LocalMachine so that when the website is running its able to save and fetch the certificates.
我从事 Forefront Identity Manager 集成工作。 所以我写的代码总是来自一些调用客户端。 如果您尝试打包应用程序以供“任何地方”使用,这可能不合适。
我只是想用一个简单的 Novell 服务器解决方案来更新此线程,该服务器启用了默认的 TLS/SSL“需要保密”选项。
1) 确保您从所绑定的 Novell 服务器获取 SSL 证书,并将这些证书注册到执行客户端/服务器上的受信任存储中。 通常有两个 1 代表 IP 和主机名,取决于您将调用的主机名(最好是 DNS)
2) 导入以下内容/添加引用
使用系统目录服务;
使用 System.DirectoryServices.Protocols;
3)这是一个片段。 确保选择 AuthenticationTypes.SecureSocketsLayer 这是关键。
I work on Forefront Identity Manager integration. So the code I write always comes from a few calling clients. This may not be appropriate if you are trying to package an application for use "anywhere".
I just wanted to update this thread with a simple solution for Novell servers which have the default TLS/SSL "confidentiality required" option enabled.
1) Make sure you get the SSL certificates off the Novell server you are binding too and enroll those into the trusted store on the executing client / server. There are normally two 1 for the IP and for the hostname dependent on which you will call (DNS preferable)
2) Import the following / add references
using System.DirectoryServices;
using System.DirectoryServices.Protocols;
3) Here is a snippet. Make sure you choose the AuthenticationTypes.SecureSocketsLayer which is key.
我想我可能已经在另一个问题中向其他人提供了这个答案。
[关于 LDAP 的其他问题][1]
我认为有两个问题: 1)您想要执行哪种绑定? SSL? 清晰的文字? 匿名的?
2) 如何在 eDirectory 端配置 LDAP 绑定?
LDAP 浏览器工具,您指的是此链接中的工具吗?
免费 LDAP 浏览器
在 eDirectory 端,他们可以要求所有 LDAP 通信使用 TLS,并且可以禁止匿名绑定。
您能否要求另一端的人员启用 LDAP 跟踪(在启用 +LDAP 选项的情况下使用 DStrace,有关如何在 Novell eDirectory 上使用 Dstrace 的一些链接请参阅:不同类型的 Dstrace 捕获并了解 Identity Manager 的 DS 跟踪。)
通常会显示一条错误消息来启发您。
我的猜测是要么启用了 Require TLS,并且您可能没有成功进行 SSL 绑定。
如果是这样,请尝试在端口 636 上进行连接,启用 SSL,并为您尝试登录的用户提供完全限定的 DN。
如果您尝试启用 SSL,并且没有收到有关接受树 CA 的受信任根证书的弹出框,则 eDirectory 服务器用户所用的 CA 或 SSL 证书可能已过期或已损坏。 (造成这种情况的常见原因有很多,只需片刻即可修复)。
通常,如果出现问题,Dstrace 中您会看到有关 SSL 证书的错误。 本文中提供了从 Novell Identity Manager 角度来看过期证书的示例:证书过期以及有关如何修复证书的一些详细信息。
下一种可能是您指定的 DN 不太正确。
如果您需要更多帮助,请告诉我。
I think I may have already offered this answer to someone else in a different question.
[OtherQuestion on LDAP][1]
Two issues I think: 1) What kind of bind are you trying to do? SSL? Clear text? Anonymous?
2) How is it configured on the eDirectory side for LDAP binds?
The tool LDAP Browser, are you referring to the one at this link?
Free LDAP Browser
On the eDirectory side, they can require TLS for all LDAP communication, and they can disallow Anonymous binds.
Can you ask the folks at the other end to enable LDAP tracing (Using DStrace with the +LDAP option enabled, some links for how to use Dstrace on Novell eDirectory look at: Different types of Dstrace Capturing and understand DS Trace for Identity Manager.)
That usually will show an error message that will enlighten you.
My guess is either Require TLS is enabled, and you might not be doing a successful SSL bind.
If so, try to connect on port 636, with SSL enabled, and a fully qualified DN for the user you are trying to login as.
If you are trying with SSL enabled, and you are not getting a pop up box about accepting the tree CA's trusted root certficate, then perhaps the CA or the SSL certificate taht the eDirectory server is user has expired or is broken. (There are any number of causes for this that can be common, and take but a moment to fix).
Usually in Dstrace you will see an error about the SSL certificate if there is a problem. An example from a Novell Identity Manager perspective of an expired certificate is in this article: Certificate Expired As well as some details on how to fix the certificates.
Next possibility is that the DN you are specifying is not quite correct.
Let me know if you need more help.
按照我之前的文章 - 如果您必须使用安全连接,请尝试使用 ldaps:// 作为服务器地址的前缀。
如果没有 SSL/TLS 支持,您可以尝试此 - 指南和OpenLDAP 库的 .NET 包装器。
重要的一点 - OpenLDAP 中有 TLS 安全级别的设置,因此如果您的 LDAP 服务器有自签名证书,您要么必须在客户端导入它,要么将 TLS 设置为不检查签名机构 *这当然不太安全)。
Following my previous post - if you have to use secure connection, try to use ldaps:// as a prefix to server address.
If there is no SSL/TLS support, you can try this - guidelines and .NET wrapper for OpenLDAP library.
One important point - there are settings for TLS security level in OpenLDAP, so if your LDAP server has self-signed certificate you either have to import it on a client side or set TLS to not check the signing authority *that is less secure of course).
我经历过这个场景,Novell LDAP 服务在 Kubernetes 容器中运行。 我尝试将 CA 证书添加到 Mono 信任存储中,这会将文件添加到 Linux 容器中的“/usr/share/.mono/certs/Trust”内。 但没有任何作用,Novell 连接 LDAP 636 端口仍然不成功。
最后我用下面的方式让它工作:
I had gone through this scenario, for me Novell LDAP service running in Kubernetes container. I tried adding CA certificate to the Mono trust store, which will add the file inside "/usr/share/.mono/certs/Trust" in linux container. But nothing did work, still Novell connect not successful for LDAP 636 port.
Finally I made it work in below way: