ASP LDAP group authentication

[darvoset]

I'm trying to write an ASP page that will authenicate the user against Active Directory. The page also needs to check the groups that the user is a member of. If the user is not a member of a certain group, they will not be given access to the web application. However, if they are a member of that group they will be redirected to the web application. I have pieced this code together from many sources. Right now it will authenticate the individual against Active Directory, but I cannot get the group portion of the code to function. It will login users that are not a member of the desired group. Any help would be greatly appreciated!

Here is the code:

<%
Option Explicit
response.buffer = true

dim strUsername,strpassword,domainname
dim objDomain,objADsPath,objConnection,objCommand,objRS

strUsername=Replace(Request.Form("txtUserLogin"), "'", "''")
strpassword=Replace(Request.Form("txtUserPassword"), "'", "''")
on error resume next

Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set objConnection = Server.CreateObject("ADODB.Connection")
objConnection.provider ="ADsDSOObject"
objConnection.Properties("User ID") = "mydomain\"+strUsername
objConnection.Properties("Password") = strpassword
objConnection.open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText ="select cn FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
Set objRS = objCommand.Execute

'HandleError
If Err.Number <> 0 Then
session("logged_in") <> "true"
Response.Redirect("index.asp")
End If

'Handle navigation if no connection errors arise
If objRS.RecordCount > 0 Then
If (CheckUserGroups(strUsername)=True) Then
session("logged_in") = "true"
Response.Redirect("openings.asp")
Else
session("logged_in") <> "true"
Response.Redirect("index.asp")
End If
Else
session("logged_in") <> "true"
Response.Redirect("index.asp")
End If

objRS.Close
objConnection.Close
Set objRS = Nothing
Set objConnection = Nothing

Sub CheckUserGroups(uid)
dim arrMemberOf
'On Error Resume Next
Set objUser = GetObject("LDAP://" & uid & "") ' LDAP for User Info
With objUser
arrMemberOf = .GetEx("memberOf")
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
strGroupList = "The memberOf attribute is not set."
Else
For each Group in arrMemberOf
If Group = "mygroup" Then
Return True
End If
'Group = Mid(Group,4)
'intLeft = Instr(Group,",")
'Group = Left(Group, intLeft) & " "
'strGroupList = strGroupList + Group
Next 'arrMemberOf
End If
End With ' objUser
End Sub
%>

 

[zcolton]

darvoset,

Here is some code that you might be able to use:

<%@ Language=VBScript %>
<html>
<head>
</head>
<body>
<%
strUsername = request.queryString("user")
strUserName = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\"))
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select memberof FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
Set rs = Com.Execute
membership=rs("memberof")
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing
For each group in membership
 newgroup=split(group,"=")
 response.write left(newgroup(1), len(newgroup(1))-3)&"<br>"
Next
%>
</body>
</html>

give the asp page a username and it will list out the group that the user is a member of.

zcolton

 

[darvoset]

zcolton,

I get the following error when I try to use this code:

Error Type:
ADODB.Field (0x800A0BCD)
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.

However, I really do not need to display the groups that the user is a member of, I just need to check if they are a member of a certain group.

darovset

 

[zcolton]

darvoset,
run the asp as -> webpage.asp?user=someusername
I didn't write a complete package to replace what you have done so far. This is simply a demonstration as to how to get the groups a user is a member of. You would need to modify the parts you need to fit your application.

zcolton

 

[darvoset]

zcolton,
I am sorry. I had just skimmed through the code quickly and did not notice that the code was requesting the username from the queryString. I called the page and it lists the groups just like it should. I will make the changes that I need to try to authenticate the user. Thanks a million for you help!

darvoset

 

[darvoset]

I had to shelf this product for a little while to take care of some more important ones. However, I am still unable to authenticate by the groups that the user is a member of in Active Directory. Presently, the code will deny access if the AD username or password are incorrect. However, it does not deny access if the AD user is not a member of the required group or groups. Any assistance would be greatly appreciated.

Here is the code that I have for the authentication page:

<%
Option Explicit
response.buffer = true

dim strUsername,strpassword,domainname
dim objDomain,objADsPath,objConnection,objCommand,objRS

strUsername=Replace(Request.Form("txtUserLogin"), "'", "''")
strpassword=Replace(Request.Form("txtUserPassword"), "'", "''")
domainname="mydomainname"
on error resume next


Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set objConnection = Server.CreateObject("ADODB.Connection")
objConnection.provider ="ADsDSOObject"
objConnection.Properties("User ID") = "mydomain\"+strUsername
objConnection.Properties("Password") = strpassword
objConnection.open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText ="select cn FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
Set objRS = objCommand.Execute

'HandleError
If Err.Number <> 0 Then
session("logged_in") <> "true"
Response.Redirect("index.asp")
End If


'Code to check if the user is a member of the authorized group
dim sDomain,ADsPath,con,Com,rs
Set sDomain = GetObject ("GC://rootDSE")
ADsPath = sDomain.Get("defaultNamingContext")
Set sDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select memberof FROM 'GC://"+ADsPath+"' where sAMAccountname='"+strUsername+"'"
Set rs = Com.Execute
membership=rs("memberof")
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing
For each group in membership
newgroup=split(group,"=")
tempgroup=left(newgroup(1), len(newgroup(1))-3)
tempgroup=lcase(tempgroup)
If InStr(group, "cn=authgroup,") > 0 Then
session("logged_in") = "true"
Response.Redirect("openings.asp")
End If
Next

'send back to login page if not member of group
Response.Redirect("index.asp")

%>

 

[zcolton]

darvoset,

replace "mydomainname" with the netbios name of your domain. On the Line If tempgroup="staff" then , replace staff with the name of the group you are looking to authenticate against.

<%
strUsername=Replace(Request.Form("txtUserLogin"), "'", "''")
strpassword=Replace(Request.Form("txtUserPassword"), "'", "''")
domainname="mydomainname"

on error resume next

Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set objConnection = Server.CreateObject("ADODB.Connection")
objConnection.provider ="ADsDSOObject"
objConnection.Properties("User ID") = domainname+"\" + strUsername
objConnection.Properties("Password") = strpassword
objConnection.open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText ="select cn FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
Set objRS = objCommand.Execute

If Err.Number <> 0 Then
 session("logged_in") <> "true"
 Response.Redirect("index.asp")
 Else
  objCommand.CommandText ="select memberof FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
  Set rs = objCommand.Execute
  membership=rs("memberof")
  rs.Close
  objConnection.Close
  Set rs = Nothing
  Set objConnection = Nothing
  For each group in membership
   newgroup=split(group,"=")
   tempgroup=left(newgroup(1), len(newgroup(1))-3)
   tempgroup=lcase(tempgroup)
   If tempgroup="staff" Then
    session("logged_in") = "true"
    Response.Redirect("openings.asp")
    Else
     Response.Redirect("index.asp")
   End If         
  Next
End If
%>

zcolton

 

[CharleyDC5]

Hi zcolton,

Is it possible to "ORDER BY" the results of the " For each group in membership" sequence?

The code is running real smooth, but the members username are not in alphabetical order!

I have also noticed some timeouts when querying some huge groups.. so I have set the ASP Running Delay (in IIS) to 180 seconds instead of 90 seconds.

Thank you very much!

Charles
CRA IT Analyst

 

[zcolton]

CharleyDC5,

It can be done using a sort function. Please post your code and I can show you the changes you need to make.

zcolton

 

[CharleyDC5]

Hi!

Here is the code:
<%
lstrGroupe = Request.QueryString("lstrGroupe")
lstrGroupDSN=request.querystring("group")

if lstrGroupDSN="" then
Set objDomain = GetObject ("LDAP://*******,*******")
Set objDomain = Nothing
Set lstrConnexion = Server.CreateObject("ADODB.Connection")
lstrConnexion.provider ="ADsDSOObject"
lstrConnexion.open "Active Directory Provider"
Set cmdGroup = CreateObject("ADODB.Command")
Set cmdGroup.ActiveConnection = lstrConnexion
cmdGroup.CommandText ="select adspath,name from 'LDAP://********,*******' WHERE objectCategory='Group' AND cn='" & lstrGroupe & "' ORDER BY name"
Set rsGroup = cmdGroup.Execute
if rsGroup.EOF then
Call CloseAll
else
rsarray=rsGroup.getrows
Call CloseAll
lstrNumRoms=ubound(rsarray,2)
Response.Redirect("get_group_members.asp?group=" + rsarray(1,rowcounter) + "")
end if
else
%>
<form method="post" action="default.asp?lstrAction=search" name="frmGetMembers">
<textarea name="txtGroupe" id="txtGroupe" style="position:absolute;visibility:hidden;">
<%
set objgroup=GetObject(lstrGroupDSN)
Response.Write "<span class='h2Size'><b>Membres du groupe "+objgroup.cn+"</b></span><br>"
Response.Write("<table width='50%' border='1' class='tableau'>")
Response.Write("<tr bgcolor='#FBFBFB'>")
Response.Write("<td class='h2Size' align='center'><b>Nom</b></td>")
Response.Write("<td class='h2Size' align='center'><b>CI-usager</b></td>")
Response.Write("</tr>")


For each objMember in objGroup.Members
Response.Write("<tr onMouseOver=""javascript:this.bgColor='#EFEFEF';"" onMouseOut=""javascript:this.bgColor='#FFFFFF';"">")
Response.Write("<td>")
Response.Write("<a href='../recherche_informations/common_includes/get_infos.asp?lstrUsager=" & objMember.cn & "' title='Voir les informations de ce membre'>" & objMember.DisplayName & "</a>")
Response.Write("</td>")
Response.Write("<td align='center'>")
Response.Write(objMember.cn)
Response.Write("</td>")
Response.Write("</tr>")
Next
Response.Write("</table>")
Set objGroup=nothing
end if
%>