I have a LDAP login setup in my C# web app that uses a DirectoryEntry method. The below code is what I have so far. This will let anybody with an AD account login. I need to limit that to people in a group named "commonusers".
public Boolean ValidateUser(string userName, string password)
{
string path = "LDAP://domain.company.org";
DirectoryEntry dirEntry = new DirectoryEntry(path, userName, password, AuthenticationTypes.Secure);
try
{
DirectorySearcher dirSearcher = new DirectorySearcher(dirEntry);
dirSearcher.FindOne();
return true;
// If it returns the data then the User is validated otherwise it will automatically shift to catch block and return false
}
catch
{
return false;
}
The login button uses the code below:
protected void Button1_Click(object sender, EventArgs e)
{
{
Boolean boolresult = ValidateUser(TextBox_username.Text, TextBox_password.Text);
if (boolresult)
{
Label_loginstatus.Text = "Redirecting";
Response.Redirect("medsearch.aspx");
}
else
{
Label_loginstatus.Text = "Invalid username/password! Please try again.";
}
}
}
Is it possible to add a function that checks the users account for the "commonusers" group into one of these functions?
If on .NET 4 you could use this method, where you can do with out try/catch:
private bool ValidateAgainstADAndGroup(string username, string password, string groupname)
{
var ok = false;
using (var pc = new PrincipalContext(ContextType.Domain, "mydomain.lan"))
{
if (pc.ValidateCredentials(username, password))
{
//User is alright
using (var searcher = new PrincipalSearcher(new UserPrincipal(pc)))
{
searcher.QueryFilter.SamAccountName = username;
Principal u = searcher.FindOne();
foreach (Principal p in u.GetGroups())
{
if (p.Name == groupname)
{
//User is in group
ok= true;
}
}
}
}
}
return ok;
}
You could alter to return two types of errors: NotAuthenticated OR Authenticated - but not in group