You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-06 18:37:21
Ok that works for on the JSON.
But I guess my concern is... you said to use "WhoAmI" ... to get details... but what I found didn't do what we thought?
And if thats the case, should it be something else? or what I did here, after the Kerberos call, the "proper" way?
Sorry for these kind of questions... but trying to find stuff online gives such mixed results... from upwards of 20 years ago.
Having someone to ask at this moment in time, helps get better/more direct answers then reading posts and blogs from eons ago.
#2 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-06 17:19:45
I have something like this at its basic level...
LDAP := TLdapClient.Create;
LDAP.settings.Tls := false;
LDAP.settings.AllowUnsafePasswordBind := True;
LDAP.settings.TargetHost := LDAPServerAddr;
LDAP.Connect;
if LDAP.BindSaslKerberos then
begin
writeln('authenticated via Kerberos');
writeln(LDAP.ExtWhoAmI);
end
else
begin
writeln('authenticating via Kerberos - FAILED');
end;When it runs I get
authenticated via Kerberos
u:2022SERVER\STEVENSo it "worked" on the BindSaslKerberos I take it... but for the ExtWhoAmI , all i get is well.. who i am ... but no profile details.
I searched the source but this was the only code with "whoami" in it... so not 100% sure what to do about that....
but what I did find...
is after the good BindSaslKerberos call, I can use this code that you gave me earlier...
if LDAP.BindSaslKerberos then
begin
var
LDAPProperties := LDAP.SearchAll([], ObjectFilter(ofUsers, windowsUser), [roCanonicalNameAtRoot, roSortByName, roSddlKnownUuid, roAutoRange, roKnownValuesAsArray]);
if VarIsEmpty(LDAPProperties) or VarIsNull(LDAPProperties) then
begin
writeln('No user found for LDAP properties');
end
else
begin
JSONStr := (_Safe(LDAPProperties)^.ToJson('', '', jsonHumanReadable));
writeln(JSONStr);
EmployeeID := ExtractFromJSON('EmployeeID',JSONStr); // pull emp id from the JSON
end;
end;This works... not sure its the "proper" way or not ...
#3 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-05 20:33:58
Alrighty... I do have new question to add.
User logs into Windows, which was on AD domain.
Since the user has logged in, am I able to pull the logged in Windows user AD profile information?
Does that have to go through LDAP in this case or would that be WinNT ?
CN=Administrator,CN=Users,DC=myserver,DC=com
Seems to work for LDAP land? ... I can pull employeeID that way.
But pondering if a better way if any, to get my logged in Windows user profile information that AD says it should be.
#4 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-03 20:15:27
The RootDSE info is retrieved and accessible via TLdapClient.RoodDN/DefaultDN/VendorName/ServiceName/ConfigDN/NetbiosDN/NamingContext... methods and so on.
And you have a lot of Windows-centric API calls in mormot.core.os.security.pas to retrieve the current Windows security information.
Thanks again!
I was able to demo my proof of concept and people were happy with results.
Our main software is old... like... 1979 old... before i was born old. Its an OOP based database called Cache. So there is plenty of code in there 30-40 yrs old.
And a customer wants to use LDAP to login, vs using a login mechanism thats 45 years old.
My program is a GUI interface that talks to the old system via ODBC.
Having my user in LDAP with a few details set on the user level, i can then link it to the internal user system of the old software via pulled down properties.
Then I was able to manually set a LDAP server/user... and verify.. or auto-get the domain/windows user/ect and verify... depending on which machine / server setup I was using.
#5 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-03 17:21:55
Ah nice. I had skimmed the code and saw OpenSSL... so if uses SCHannel, that makes life easier.
I think maybe this will be my final questions... for now 
I am working on a simple "proof of concept" program.
I can get the current username of windows user.
I can get the current windows domain name.
but I can't seem to get the current LDAP domain name... which would be something like "DC=myserver,DC=com" or just "myserver.com"
When I was inspecting https://github.com/EdZava/VCL-ActiveDirectory4Delphi for doing LDAP, it has some calls internally to grab this info.
Was looking to see if anything bundled in here.
Basically have the "login" screen where if on a windows setup where this can be done... pull down the ldap server address and username.. so user can just plop in password and go.
If not.. then they gotta fill the server in ( offsite ldap server )
Would this be something via "RootDSE' ?
In Powershell, Get-ADRootDSE gives me all this kind of info.
When using Apache Directory Studio, similar info ( if not actually quite a bit more ) ....
Again.. sorry about the newb questions.
This was sprung on me, and after 20 years working here, LDAP has never come up.
And like most things, I get no time to learn and need to have a proof of concept ASAP and run around with head on fire.
So my hope is to have a simple login form mocked up that "works" and also handles when it can possibly pull as much info from the windows machine as possible, if connected to a domain that has ldap and have it so the user just types in password.
And fall back to manually filling in info if need be.
#6 Re: mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-03 07:57:05
Excellent! That worked. Got a huge JSON blast of information. I guess no record/object of the data available? if not that is fine.
I can do my own JSON wrapping to turn into one if need be.
I think final question for now.... SSL support. It looks like it requires OpenSSL ?
Also is mutual TLS supported then? I am unsure I need this, or even SSL right at this time. But i figure ask, because it will be found out eventually if we go this route with LDAP.
Don't have access to customers server ... and the one we have here is no TLS enabled it looks, but i dont have access either to make any changes to it.. so gonna request it to be setup to TLS to test against. Both are using ADFS.
#7 mORMot 2 » LDAP to an AD box and get userinfo details? » 2024-12-02 21:22:42
- jdredd
- Replies: 11
Greetings!
Been looking at mORMot2 for handling LDAP today with Delphi 12...
So far, I'd like to say, great job!
I have a case where I need to connect to A Windows 2022 server via LDAP. Running ADFS and all that jazz...
The following code seems to work for what it is...
The problem is I can't seem to figure out how to get the attributes of the user.
I see in mormot.net.ldap.pas , _AttrTypeName ... all the fields here that I am looking for.
I just haven't found HOW to access these all.
In the end... I need to make sure I can authenticate the user ( bind ? ) , and pull any and all info about said user.
As there is going to be buried in there some data that I need to use, to fire off to another old legacy program.
var
LDAP: TLdapClient;
Info: TLdapUser;
idx: integer;
begin
Memo1.Clear;
LDAP := TLdapClient.Create;
LDAP.Settings.UserName := 'user@server.com';
LDAP.Settings.Password := 'mypassword';
LDAP.Settings.TargetHost := 'server.com';
// the ADFS box i am connecting to doesn't appear to have TLS enabled.....
LDAP.Settings.Tls := false;
LDAP.Settings.AllowUnsafePasswordBind := true;
if LDAP.Connect then // this will connect to host... not user/password
Memo1.lines.add('Connected')
else
Memo1.lines.add('Not Connected');
if LDAP.Bind then // bind by username and password.. considered authenticated?
Memo1.lines.add('Bind Good')
else
Memo1.lines.add('Bind Bad');
if LDAP.GetUserInfo('user', '', '', Info) then
begin
Memo1.lines.add('User Info');
Memo1.lines.add(Info.sAMAccountName);
Memo1.lines.add(Info.distinguishedName);
Memo1.lines.add(Info.canonicalName);
Memo1.lines.add(Info.cn);
Memo1.lines.add(Info.description);
Memo1.lines.add(Info.objectSid);
Memo1.lines.add(Info.objectGUID);
Memo1.lines.add(Info.primaryGroupID.ToString);
Memo1.lines.add(Info.userPrincipalName);
Memo1.lines.add(Info.displayName);
Memo1.lines.add(Info.mail);
Memo1.lines.add(datetimetostr(Info.pwdLastSet));
Memo1.lines.add(datetimetostr(Info.lastLogon));
Memo1.lines.add(datetimetostr(info.whenCreated));
Memo1.lines.add(datetimetostr(info.whenChanged));
for idx := low(Info.memberof) to high(Info.memberof) do
Memo1.lines.add(Info.memberof[idx]);
for idx := low(Info.customNames) to high(Info.customNames) do
Memo1.lines.add(Info.customNames[idx]);
for idx := low(Info.customValues) to high(Info.customValues) do
Memo1.lines.add(Info.customValues[idx]);
end;
end;Pages: 1