Pages: 1

#1 Re: mORMot 2 » LDAP test to ldap.forumsys.com issues » 2025-04-02 07:37:28

jdredd

Well after a bunch of work, I have some stuff I did to give to a user to see how things react.

Crossing fingers smile

#2 Re: mORMot 2 » LDAP test to ldap.forumsys.com issues » 2025-04-01 21:28:01

jdredd

ldap.Search('uid=einstein,dc=example,dc=com', False, '(objectclass=*)', ['*']);

Then using LDAP.SearchResult.Dump

results: 1 in 15.96ms
0:
  objectName : uid=einstein,dc=example,dc=com
  objectClass :
    - inetOrgPerson
    - organizationalPerson
    - person
    - top
  userPassword : {sha}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
  cn : Albert Einstein
  sn : Einstein
  uid : einstein
  mail : einstein@ldap.forumsys.com
  telephoneNumber : 314-159-2653


Also using LDAP.SearchResult.GetJson

{
  "uid=einstein,dc=example,dc=com": {
    "objectName": "uid=einstein,dc=example,dc=com",
    "objectClass": [
      "inetOrgPerson",
      "organizationalPerson",
      "person",
      "top"
    ],
    "userPassword": "{sha}W6ph5Mm5Pz8GgiULbPgzG37mj9g=",
    "cn": "Albert Einstein",
    "sn": "Einstein",
    "uid": "einstein",
    "mail": "einstein@ldap.forumsys.com",
    "telephoneNumber": "314-159-2653"
  }
}


This might get me by maybe.. if GetUserInfo fails... ?

#3 Re: mORMot 2 » LDAP test to ldap.forumsys.com issues » 2025-04-01 20:29:13

jdredd

Well.. it doesn't blow up now.

But I have no user info either.

Not sure what I can do to get that.

I have a user out in the wild having the same problem. 

But fighting on getting what kind of LDAP server setup they even have.

Expanding base 'uid=einstein,dc=example,dc=com'...
Getting 1 entries:
Dn: uid=einstein,dc=example,dc=com
cn: Albert Einstein;
mail: einstein@ldap.forumsys.com;
objectClass (4): inetOrgPerson; organizationalPerson; person; top;
sn: Einstein;
telephoneNumber: 314-159-2653;
uid: einstein;


Not 100% sure what LDP.exe is doing to pull that, but would need to do the same I think.

#4 Re: mORMot 2 » LDAP test to ldap.forumsys.com issues » 2025-04-01 16:22:22

jdredd

Thanks! I will check it out. I only stumbled across this due to trying to test against NON ADFS LDAP servers. All I have at my disposal is AD LDAP servers, so wanted to try something different.

Is there other "free" test servers you know of and can recommend to hit up?

#5 Re: mORMot 2 » LDAP test to ldap.forumsys.com issues » 2025-03-31 20:20:57

jdredd

Using LDP.exe I can do some stuff...

92c3d0f9956f5413521c2d318942e989.png

Dn: uid=einstein,dc=example,dc=com
cn: Albert Einstein;
mail: einstein@ldap.forumsys.com;
objectClass (4): inetOrgPerson; organizationalPerson; person; top;
sn: Einstein;
telephoneNumber: 314-159-2653;
uid: einstein;
userPassword: {sha}W6ph5Mm5Pz8GgiULbPgzG37mj9g=;

#6 mORMot 2 » LDAP test to ldap.forumsys.com issues » 2025-03-31 18:16:15

jdredd
Replies: 7

I can get a conneciton to ldap.forumsys.com

username is "uid=einstein,dc=example,dc=com"
password is "password"

TLdapClient.Connect - works
TLdapClient.Connect(false) - works
TLdapClient.Bind - works
TLdapClient.Connected(True) - works

TLdapClient.GetUserInfo - throws an exception errror.

It seems to error out in

procedure TLdapClient.RetrieveRootDseInfo;
..
..
  fRootDN := root.Attributes.GetByName('rootDomainNamingContext');
..
..

because root itself is NIL when i inspect it.

Using Delphi 12.3 and latest mORMot2 as of today.

What would be the trouble of asking for a simple demo program to connect to this free test server service?

To connect, bind, GetUserInfo then do

var
LDAPProperties := LDAP.SearchAll([], ObjectFilter(ofUsers, getUserNameOnly(self.Username.text)),
      [roCanonicalNameAtRoot, roSortByName, roSddlKnownUuid, roAutoRange, roKnownValuesAsArray]);

To get the JSON dump of this info?

Also, I am struggling to know when to do what when it comes to these login process.

I have some AD LDAP servers, where user just types in an email address and works fine.
But when/when do i deal with cases where a person would have to type in something like "uid=einstein,dc=example,dc=com"
A bit wordy? Has to be something easier? Or this because of just a goofy test server setup requiring this for some reason?

Is there an example of a login process that would basically handle any and all possible login types?
Or maybe a good guide? As I have zero clue what people will be using. Or their setups.
And need to make it work as best as possible with any LDAP configuration. No matter how goofy it is.

#7 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-06 18:37:21

jdredd

Ok that works for on the JSON.

But I guess my concern is... you said to use "WhoAmI" ... to get details... but what I found didn't do what we thought?
And if thats the case, should it be something else? or what I did here, after the Kerberos call, the "proper" way?

Sorry for these kind of questions... but trying to find stuff online gives such mixed results... from upwards of 20 years ago.

Having someone to ask at this moment in time, helps get better/more direct answers then reading posts and blogs from eons ago.

#8 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-06 17:19:45

jdredd

I have something like this at its basic level...

 LDAP := TLdapClient.Create;
 LDAP.settings.Tls := false;
 LDAP.settings.AllowUnsafePasswordBind := True;
 LDAP.settings.TargetHost := LDAPServerAddr;
 LDAP.Connect;
 if LDAP.BindSaslKerberos then
 begin
  writeln('authenticated via Kerberos');
  writeln(LDAP.ExtWhoAmI);
 end
 else
 begin
  writeln('authenticating via Kerberos - FAILED');
 end;

When it runs I get

authenticated via Kerberos
u:2022SERVER\STEVEN

So it "worked" on the BindSaslKerberos I take it... but for the ExtWhoAmI , all i get is well.. who i am ... but no profile details.

I searched the source but this was the only code with "whoami" in it... so not 100% sure what to do about that....

but what I did find...

is after the good BindSaslKerberos call, I can use this code that you gave me earlier...

 if LDAP.BindSaslKerberos then
 begin
 var
  LDAPProperties := LDAP.SearchAll([], ObjectFilter(ofUsers, windowsUser),    [roCanonicalNameAtRoot, roSortByName, roSddlKnownUuid, roAutoRange,    roKnownValuesAsArray]);

  if VarIsEmpty(LDAPProperties) or VarIsNull(LDAPProperties) then
  begin
   writeln('No user found for LDAP properties');
  end
  else
  begin
   JSONStr := (_Safe(LDAPProperties)^.ToJson('', '', jsonHumanReadable));
   writeln(JSONStr);
   EmployeeID := ExtractFromJSON('EmployeeID',JSONStr); // pull emp id from the JSON 
  end;
 end;

This works... not sure its the "proper" way or not ...

#9 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-05 20:33:58

jdredd

Alrighty... I do have new question to add.

User logs into Windows, which was on AD domain.

Since the user has logged in, am I able to pull the logged in Windows user AD profile information?

Does that have to go through LDAP in this case or would that be WinNT ?

CN=Administrator,CN=Users,DC=myserver,DC=com

Seems to work for LDAP land? ... I can pull employeeID that way.

But pondering if a better way if any, to get my logged in Windows user profile information that AD says it should be.

#10 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-03 20:15:27

jdredd
ab wrote:

The RootDSE info is retrieved and accessible via TLdapClient.RoodDN/DefaultDN/VendorName/ServiceName/ConfigDN/NetbiosDN/NamingContext... methods and so on.

And you have a lot of Windows-centric API calls in mormot.core.os.security.pas to retrieve the current Windows security information.

Thanks again!

I was able to demo my proof of concept and people were happy with results.

Our main software is old... like... 1979 old... before i was born old. Its an OOP based database called Cache. So there is plenty of code in there 30-40 yrs old.

And a customer wants to use LDAP to login, vs using a login mechanism thats 45 years old.

My program is a GUI interface that talks to the old system via ODBC.

Having my user in LDAP with a few details set on the user level, i can then link it to the internal user system of the old software via pulled down properties.

Then I was able to manually set a LDAP server/user... and verify.. or auto-get the domain/windows user/ect and verify... depending on which machine / server setup I was using.

#11 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-03 17:21:55

jdredd

Ah nice.  I had skimmed the code and saw OpenSSL...  so if uses SCHannel, that makes life easier.

I think maybe this will be my final questions... for now smile

I am working on a simple "proof of concept" program.

I can get the current username of windows user.

I can get the current windows domain name. 

but I can't seem to get the current LDAP domain name... which would be something like "DC=myserver,DC=com" or just "myserver.com"

When I was inspecting https://github.com/EdZava/VCL-ActiveDirectory4Delphi  for doing LDAP, it has some calls internally to grab this info.

Was looking to see if anything bundled in here.

Basically have the "login" screen where if on a windows setup where this can be done... pull down the ldap server address and username.. so user can just plop in password and go.

If not.. then they gotta fill the server in ( offsite ldap server )

Would this be something via "RootDSE' ?

In Powershell, Get-ADRootDSE gives me all this kind of info.

When using Apache Directory Studio, similar info ( if not actually quite a bit more ) ....

Again.. sorry about the newb questions. 

This was sprung on me, and after 20 years working here, LDAP has never come up. 

And like most things, I get no time to learn and need to have a proof of concept ASAP and run around with head on fire.

So my hope is to have a simple login form mocked up that "works" and also handles when it can possibly pull as much info from the windows machine as possible, if connected to a domain that has ldap and have it so the user just types in password.

And fall back to manually filling in info if need be.

#12 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-03 07:57:05

jdredd

Excellent! That worked. Got a huge JSON blast of information. I guess no record/object of the data available? if not that is fine.

I can do my own JSON wrapping to turn into one if need be.

I think final question for now.... SSL support.  It looks like it requires OpenSSL ?

Also is mutual TLS supported then?  I am unsure I need this, or even SSL right at this time.  But i figure ask, because it will be found out eventually if we go this route with LDAP.

Don't have access to customers server ... and the one we have here is no TLS enabled it looks, but i dont have access either to make any changes to it.. so gonna request it to be setup to TLS to test against.  Both are using ADFS.

#13 mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-02 21:22:42

jdredd
Replies: 11

Greetings!

Been looking at mORMot2 for handling LDAP today with Delphi 12...

So far, I'd like to say, great job!

I have a case where I need to connect to A Windows 2022 server via LDAP. Running ADFS and all that jazz...

The following code seems to work for what it is...

The problem is I can't seem to figure out how to get the attributes of the user.

I see in mormot.net.ldap.pas , _AttrTypeName ... all the fields here that I am looking for.

I just haven't found HOW to access these all.


In the end... I need to make sure I can authenticate the user ( bind ? ) , and pull any and all info about said user.
As there is going to be buried in there some data that I need to use, to fire off to another old legacy program.

var
  LDAP: TLdapClient;
  Info: TLdapUser;
  idx: integer;
begin
  Memo1.Clear;

  LDAP := TLdapClient.Create;

  LDAP.Settings.UserName := 'user@server.com';
  LDAP.Settings.Password := 'mypassword';

  LDAP.Settings.TargetHost := 'server.com';

// the ADFS box i am connecting to doesn't appear to have TLS enabled.....
  LDAP.Settings.Tls := false;
  LDAP.Settings.AllowUnsafePasswordBind := true;

  if LDAP.Connect then // this will connect to host... not user/password
    Memo1.lines.add('Connected')
  else
    Memo1.lines.add('Not Connected');

  if LDAP.Bind then // bind by username and password.. considered authenticated?
    Memo1.lines.add('Bind Good')
  else
    Memo1.lines.add('Bind Bad');

  if LDAP.GetUserInfo('user', '', '', Info) then
  begin
    Memo1.lines.add('User Info');
    Memo1.lines.add(Info.sAMAccountName);
    Memo1.lines.add(Info.distinguishedName);
    Memo1.lines.add(Info.canonicalName);
    Memo1.lines.add(Info.cn);
    Memo1.lines.add(Info.description);
    Memo1.lines.add(Info.objectSid);
    Memo1.lines.add(Info.objectGUID);
    Memo1.lines.add(Info.primaryGroupID.ToString);
    Memo1.lines.add(Info.userPrincipalName);
    Memo1.lines.add(Info.displayName);
    Memo1.lines.add(Info.mail);
    Memo1.lines.add(datetimetostr(Info.pwdLastSet));
    Memo1.lines.add(datetimetostr(Info.lastLogon));
    Memo1.lines.add(datetimetostr(info.whenCreated));
    Memo1.lines.add(datetimetostr(info.whenChanged));
    for idx := low(Info.memberof) to high(Info.memberof) do
      Memo1.lines.add(Info.memberof[idx]);
    for idx := low(Info.customNames) to high(Info.customNames) do
      Memo1.lines.add(Info.customNames[idx]);
     for idx := low(Info.customValues) to high(Info.customValues) do
      Memo1.lines.add(Info.customValues[idx]);
   end;

end;

Pages: 1

Board footer

Powered by FluxBB