LDAP Authentication for IIS with eDirectory
Novell Cool Solutions: Tip
Digg This -
Posted: 22 Sep 2004
Here's an LDAP authentication solution for IIS with eDirectory. This tip was sent in by reader Ben Ponting.
We have a requirement to integrate Microsoft IIS servers with our LDAP servers for user authentication. We have been using DirXML for some of our authentication solutions, but in this case the AD Remote Loader was not suitable for a number of reasons. Our IIS guys wanted to use an ISAPI filter to redirect authentication to our LDAP server, but we were not able to get this working over SSL.
The ISAPI filter we were using had been compiled using the Netscape SDK, but the libraries had issues with SSL even after obtaining a valid cert7.db file. Thanks to a very helpful sysop by the name of Guenter Knauf, we obtained a recompiled version of the code using NDK, which works perfectly. At the moment it only allows authentication, no access control, but we are working on acheiving that based on group memberships down the track.
The NDK-based code can be found here: http://www.gknw.at/development/iis/
The existing instructions have been written for using Netscape SDK. To use the NDK version, I created these instructions:
- Copy ldapsdk.dll, ldapssl.dll, ldapx.dll to c:\winnt\system32 (or any location in a path).
- Copy ldapauth.dll to c:\winnt\system32\inetsrv.
- Copy ldapauth.ini to c:\winnt.
- Copy CA.der to c:\ (I used the self signed certificate exported from the CA).
- Open IIS Administrator.
- Right click on the Website object and choose Properties.
- Click on the ISAPI Filters tab.
- Click Add.
- Enter the following details:
Filter Name: LDAPAUTH
- Click the Directory Security tab.
- Click Edit in the Anonymous Access and Authentication control panel.
- Disable Anonymous Access and Integrated Windows authentication.
- Select Basic Authentication and click OK
- Stop and start the IIS web service. (Check that the ldapauth filter is loaded by openning the ISAPI Filters tab and that there is a Green arrow in the Status column).
Adding the ISAPI Filter to IIS
Note: You must also set up a Windows user that IIS will use to access the website and specify the username and password in the ldapauth.ini file. This essentially maps the LDAP user to a local windows user account after successful authentication.
Below is the LDAPAUTH.INI file I used. Changes to the config file take effect only after a server reboot. Most file paths are configurable, except the LDAPAUTH.INI file that must be in the path C:\WINNT\; this is hardcoded in the .DLL.! IIS LDAP Authentication configuration file.
! Each parameter starts on a new line, first
! with the parameter name, then white space, then
! the desired value.
! Replace all spaces in a value with the underscore
! character. Ie. my_value_with_spaces
! Bind User is the username of the account used
! to connect to the LDAP server. It should be a
! valid DN. Only requires read access to CN attribute
! IP address or Hostname of the LDAP server and
! port number for LDAP connection
! Search filter
! SSL certificate file. Specifying this will make
! the module always use SSL.
! NT User - the Windows NT user used for IIS access
! after LDAP authentication. You can delete this
! line if you want to use the LDAP CN as your Windows
! NT user.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com