Use SSL to connect to LDAP with .Net DirectoryServices

0
votes

I have some .NET working code (both as a desktop application and as a IIS deployment) to read data from LDAP:

string ldapUrl = "LDAP://myLdapUrl.example/ou=user,dc=MyDC";
AuthenticationTypes auth = AuthenticationTypes.None;
using (DirectoryEntry directoryEntry = new DirectoryEntry(
   ldapUrl,
   "cn=ldap_user,ou=user,dc=MyDC",
   "NotMyTruePassword",
   auth)
{
   using (DirectorySearcher directorySearcher = new DirectorySearcher(directoryEntry))
   {
       directorySearcher.PropertiesToLoad.AddRange(new[] { "uid", "givenname", "sn", "middlename", "description", "memberof" });
       directorySearcher.Filter = String.Format("(&(objectclass=person)(cn={0}))", user);
       directorySearcher.SearchScope = SearchScope.OneLevel;
       directorySearcher.SizeLimit = 10;
       SearchResult searchResult = directorySearcher.FindOne();
   }
}

But when I try to connect to the LDAPS port (636), it fails with a

System.Runtime.InteropServices.COMException (0x8007203A): Server is not operational.

Considerations:

  • I have added the server CA to my acount through MMC.

  • After that, I can connect to the LDAPS port using LdapAdmin.

  • I have tried the following changes:

    1. Just adding the port to the server URL1:

      string ldapUrl = "LDAP://myLdapUrl.example:636/ou=user,dc=MyDC";

    2. Adding the port and changing the authTypes to SecureSocketsLayer2:

      string ldapUrl = "LDAP://myLdapUrl.example:636/ou=user,dc=MyDC";
AuthenticationTypes auth = AuthenticationTypes.SecureSocketsLayer;

    3. Adding the port and changing the authType to Secure2:

      string ldapUrl = "LDAP://myLdapUrl.example:636/ou=user,dc=MyDC";
AuthenticationTypes auth = AuthenticationTypes.Secure;

And I always get the same results.

I have found some examples using directly the LDAP connections (from System.DirectoryServices.Protocols) but I would prefer not to change the code as I already got it working.

1 I often see some people claiming that I should change LDAP:// for LDAPS:, but it seems that it is not how DirectoryServices works. And in any case that fails, too.

2 I am pretty sure those two options are for authentication and not for setting up the SSL connection, but I have tried them anyway.

2
c#.netsslldapdirectoryservices

2 Answers

0
votes

For security oriented connection, we cannot use the AuthenticationType.None.
Could you try with the below one.
AuthenticationTypes authType = AuthenricationTypes.Secure;

0
votes

Have you confirmed it's not a network issue?

From PowerShell you can use this to test the connection:

Test-NetConnection myLdapUrl.example -Port 636

If that works, then it's possible that the certificate from your server is not trusted. You can use this PowerShell code to download the certficate into a .cer file that you can open and inspect:

$webRequest = [Net.WebRequest]::Create("https://myLdapUrl.example:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "$home\Downloads\myLdapUrl.example.cer"

That will save myLdapUrl.example.cer to your Downloads folder. Double-click on it to view it. There will be an obvious warning there if the certificate is not trusted. If that's the case, you need to get the root certificate and install it as a trusted cert on each computer this code will run on.