How to build LDAP integration for my web app?

As always remember to validate the authentication test to be sure that the password sent is not blank.

A bind with a user name and no password is considered an Anonymous bind, according to the standard, and looks like it has succeeded! When in fact, it really did not.

This is an issue for the application to handle, since the LDAP server is just following the standard, an annoying standard, but a standard nonetheless.


There are several options. If you really mean LDAP, as opposed to just Active Directory, I would probably look at using System.DirectoryServices.Protocols to perform an LDAP bind using the supplied credentials via a secure channel.

Strictly, this isn't Single Sign-On. SSO means only having to submit your creds once when you first log on. This is simply reducing complexity for the users by only having a single ID. Usually, for Windows clients in an enterprise environment with a mixture of platforms and technologies, SSO is achieved by a client added to the desktop which manages authentication to various systems. In an MS-only environment, you might achieve SSO if all of your web apps are on IIS, you use IE and use Integrated Windows Authentication, impersonation and all of that stuff.

You could consider auto-enrolling an authenticated user into your system, unless you require profile-type data to be preconfigured. If you do require pre-configuration of users, you could consider regularly importing (all, or a filtered subset of) users from the LDAP directory and having them in a not-configured state, such that the admins select from an existing list of not-configured users rather than typing in IDs. Otherwise, you risk your admins typing in the wrong user ID and having mismatches.

You could provide an API such that Identity and Access Management solutions (given your Microsoft slant, see ILM2 007 as one example) can integrate with your system and do all of the user account management for you.


Perhaps consider Authentication Vs Authorisation

Authentication - which user is this? Authorisation - who should be able to use the application, specified users, groups?

Currently you are implying authorisation through authentication because only those who are registered to your app are allowed to use it.

If you use a directory instead of your custom datastore then

  • use the directory connection method to authenticate the user
  • you (may) get authentication for free - the user is known to windows, windows can identify to iis and sqlserver, maybe no need to ask the user who they are.
  • you will know of more users than have authorisation and need to apply restrictions - limit connections to a particular group.
  • could store user data in the directory, rather than with your app data in the sql server.

If your users really want generic LDAP, then you want to look into (C)ldap_connect, ldap_bind_s (C#) LDAPConnection System.DirectoryServices.Protocols

Or again back to AD this Demystified .Net App single sign on might help