BpcADSI

From RiskWiki

Jump to: navigation, search

Contents

Active Directory support through ADSI interface

Language: Delphi 7 - 2007


Overview

Provides active directory support for login and password authentication using one of 2 modes - bpcADSIWinNT (winNT lookup), bpcADSILdap (LDAP Lookup), as well as discovery of the current user. This component will work in a loaded DLL on a server as well as a desktop application.


Registers the TbpcADSI component in the Delphi IDE.

Example Canonical Strings:

(Used for LDAP authentication): CN=Fred,DC=bishopphillips,DC=com


IMPORTANT NOTE FOR AUTHENTICATION MODES

  • IF FAuthMode=bpcADSILdap:
  Use where user accounts have bad login lockout enabled.


While WinNT could do the entire access check and return the user object in one step given the username and password, it defaults to kerberos first and if that fails it uses nt. That means that a bad password will receive at least 2, possibly 3 login attempts which will trigger the acount lockout flag on normal account lockout settings. So..we have to use LDAP to test the password...BUT you can't access the user object in AD using LDAP if you don't know the canonical name (full name) which means that merely having the username is insufficient. So we access the Users container instead under LDAP using username and password to authenticate, and if that works we use the WinNT (with either the cached LDAP login, or the launching user login - not sure whether winnt can see ldap caches) to access the user object.

  • IF FAuthMode=bpcADSIWinNT:
  Use where user accounts DO NOT have bad login lockout enabled.  Uses WinNT only (Faster).


uses SysUtils, Classes, ActiveX, Windows, Types, ComCtrls, ExtCtrls, ActiveDs_TLB, adshlp, oleserver, Variants;
 
type
  TbpcADPassword = record
    Expired: boolean;
    NeverExpires: boolean;
    CannotChange: boolean;
end;

type
  TbpcADSIUserInfo = record
    UID: string;
    UserName: string;
    Description: string;
    Password: TbpcADPassword;
    Disabled: boolean;
    LockedOut: boolean;
    Groups: string; //CSV
end;

type
  TbpcADSIAuthMode = ( bpcADSIWinNT, bpcADSILdap );

  TbpcADSI = class(TComponent)

  private
    FUserName:  string;
    FPassword:  string;
    FCurrentUser: string;
    FCurrentDomain: string;
    FAuthMode : TbpcADSIAuthMode;
    FLDAPCanonical : string;

    function GetCurrentUserName: string;
    function GetCurrentDomain: string;


  protected
    { Protected declarations }
  public
    AnonWinNTError : boolean;
    constructor Create(AOwner: TComponent); override;
    destructor Destroy; override;

    property CurrentUserName: string read FCurrentUser;
    property CurrentDomain: string read FCurrentDomain;

    function GetUser(Domain, UserName: string; var ADSIUser: TbpcADSIUserInfo): boolean;
    function Authenticate(Domain, UserName, Group: string): boolean;

  published
    property LoginUserName: string read FUserName write FUserName;
    property LoginPassword: string read FPassword write FPassword; 
    property LDAPCanonical : string read FLDAPCanonical write FLDAPCanonical;
    property AuthMode : TbpcADSIAuthMode read FAuthMode write FAuthMode;
  end;

BackLinks



CopyRight Bishop Phillips Consulting Pty Ltd 1997-2012 ( BpcADSI )
Personal tools