New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNon-anonymous secure LDAP connectionNon-anonymous secure LDAP connection
Previous
 
Next
New Post
7/23/2008 4:53 PM
 

Unfortunately I didn't get a chance on the weekend and it's been too busy here at work to do any extracurricular testing.

 
New Post
11/17/2008 11:04 AM
 

So my network people are still recording anonymous LDAP queries every time one of my DNN users logs in to the site.  They are moving along with the initiative to disable anonymous access to LDAP which will cause all of these queries to fail. 

Has anyone ever been able to figure out why anonymous LDAP queries are being made instead of binding using the ASP.NET process account credentials (which I have configured as a network service account)?  I have Windows authentication enabled in web.config, removed all anonymous access to the entire site (and enabled Windows authentication), and commented out the <identity/> element in web.config (since I don't want it to impersonate the user, I want everything to be run under the ASP.NET service account).

I currently have "Sealing" selected as the Authentication Type in the ADSI provider config.

Thanks for any help.

 
New Post
12/16/2008 11:01 AM
 

Anyone had any luck finding out where the AD provider is making anonymous LDAP queries (it appears to be when it is looking for groups).  The .NET documentation for the DirectoryEntry object says that the default constructor in .NET 2.0 creates the DirectoryEntry object with a Secure authenticaiton type.  I've been through the code a lot and I can't figure out where a DirectoryEntry object is being created with a non-secure authentication type.

Another issue with the security of this module is that, in an attempt to get around the problem with anonymous LDAP queries, I entered the login and password of the asp worker process service account into the AD configuration.  I was thinking that then all LDAP requests would be made using that username and password.  Not only did that not work (there are still anonymous queries), but our network people told me that it is now sending LDAP queries with a clear text password (which will also not be allowed in about a month).

Seems like both of these issues would be a high priority for this module since it involves security...

 
New Post
12/16/2008 11:17 AM
 

Brett if you turn off Synchronization do the anonymous LDAP queries still happen? If you can let me know that then it'll give me a starting point.

I'd like to try to track this down over the holiday season but I can't guarantee if I'll be able to. I'm far from an expert on ADSI and LDAP and am working with code that's from the .NET 1.0 days originally. My plan is to do a complete re-write of the code once the current version is stable enough for the majority of users.

 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNon-anonymous secure LDAP connectionNon-anonymous secure LDAP connection


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.