Looking for an example of LDAP (AD) authentication from ABL

Posted by Valeriy Bashkatov on 04-Apr-2017 09:01

Hi All,

I'm looking for an example of LDAP (AD) authentication from ABL for Windows clients. I saw examples in the documentation (all very confusing and unclear) and examples from Michael Jacobs, the last do not work on the 11.x version because of Crypto.r and I have not found the source code for Crypto.p.

Somebody has the source code of this program or r-code for 11.5/11.6/11.7?

I have the task from the customer:
There is a Windows OS in which there is a user named UserA with a password of 12345. There is a RDBMS in which there is a user Sysadm with a password of 67890.
UserA's password checks by Windows, Sysadm's password checks by RDBMS (_user).
They want to make it so that the user UserA with the password 12345 appears in the RDBMS, but that this password is checked not by the RDBMS, but by Windows. 
That is, changing the password in Windows from 12345 to 54321 for UserA, and he would be able to connect to RDBMS with a new password.

I think that this requires application authentication through Active Directory + using CLIENT-PRINCIPAL + OpenEdge Database domains. I also look towards .NET DirectoryServices.

Ideally, I need a ready-made example with a connection to the Sports2000 database (on Windows) something with a user interface and the ability to configure LDAP from ABL forms by DBA.  

Thank you for any help!

Regards,
Valeriy

All Replies

Posted by nborshukov on 05-Apr-2017 06:59

If you "link" windows user to database user, you can use the following code to verify windows user and password:

USING System.DirectoryServices.AccountManagement.*.

DEFINE VARIABLE objContext AS class PrincipalContext no-undo.

   if true then
       /* for domain */
       objContext = NEW PrincipalContext(ContextType:Domain,"DomainName").
   else  
      /* for machine */
       objContext = NEW PrincipalContext(ContextType:Machine).

   MESSAGE objContext:ValidateCredentials("WindowsUserName","WindowsPassword")
           VIEW-AS ALERT-BOX INFO.

   objContext:Dispose().
   delete object objContext.

Add System.DirectoryServices.AccountManagement assembly to project assemblies in order to run code above.

Posted by Valeriy Bashkatov on 05-Apr-2017 07:58

Hi nborshukov,

Thank you!

But, if ValidateCredentials return "no", how to check why? For example, when user blocked if password expired, or maybe it just used wrong password.

Posted by tbergman on 05-Apr-2017 08:32

A large number of properties are available on the UserPrincipal object. Here's a bit of code that should point you in the right direction.

DEFINE VARIABLE objUser AS UserPrincipal.
objUser = UserPrincipal:FindByIdentity(objContext,pLoginName).
    IF ObjUser = ? THEN  ....
    IF NOT objUser:ENABLED THEN  .....
    IF objUser:IsAccountLockedOut() THEN ....
    

Posted by Valeriy Bashkatov on 06-Apr-2017 09:48

Thank you!

Posted by Valeriy Bashkatov on 06-Apr-2017 09:48

Does anyone have any other examples?

This thread is closed