1
votes

I'm trying to replace Microsoft's DirectorySearcher in my application, mainly because it is really slow in our use-case (when i do a search for a single user account to retreive his givenName, sn and objectGUID using the sAMAccountName as a filter, it takes around 400 ms per user, in some case i have to get it for many users).

So i tried Novell LDAP, both the original version and the .NET Standard one. Performance for original is good, but .NET Standard is even better. The same case where microsoft's takes 400ms, this one takes 3ms. So far so good.

To get to this point quickly, i hardcoded my domain credentials. Now trying to replace Microsoft's implementation in our application, i realised we were using NTLM Authentication and i would like this change to be transparent to my users (not having to ask them for their domain credentials).

Looking at the protocol details, LDAP calls with wireshark and Novell's source code, i quickly realised that it is something that they did not implement. So, i'm kinda back to square one...

I need a fast LDAP library that can authenticate (bind) thru NTLM (sasl gss-spnego).

Does such a thing exists? I've search nuGet and asked google, but did not find much.

Thanks!

1
In my experience, DirectorySearcher is the fastest option. Are you using the overload that allows you to restrict which properties are loaded? I've noticed that can make a significant difference.itsme86
Yes, i was loading only the properties i needed. My issue ended up being negotiation between my client and my test domain controller/active directory. Someone suggested that i use the same credentials, from my real domain, on my test domain, to avoid having to actually log on it and all... that was a mistake and was the cause of the slowdown in NTLM authentication. I could not replicate this issue when properly logged to our production domain/activedirectory. In that case, there wasn't a noticeable difference between Simple authentication and NTLM.Carl Quirion

1 Answers

1
votes

You are likely to see slowness with any LDAP lib if you use SASL with NTLM.

The simple bind means you are auth'd in one request, after the TCP three-way handshake. No matter the lib, with SASL and NTLM, you have another three messages before you can send your search request.

I have found the MS system.directoryservices.protocols namespace to be a very fast LDAP client lib. There are many optimizations you may do, depending on your use case. https://msdn.microsoft.com/en-us/library/ms808539.aspx

I would dispute theitsme86 on the directory searcher. It uses ADSI, which means it has to convert to LDAP client side first. S.DS.P lets you craft pure LDAP. enter image description here