public bool CheckCredentialServer(LdapServiceModel ldapServiceModel)
{
bool success = false;
_ldapServer = ldapServiceModel.ldapServer;
_ldapPort = ldapServiceModel.ldapPort;
LdapDirectoryIdentifier ldapDirectoryIdentifier = new LdapDirectoryIdentifier(_ldapServer, Convert.ToInt16(_ldapPort), true, false);
LdapConnection ldapConnection = new LdapConnection(ldapDirectoryIdentifier);
try
{
ldapConnection.AuthType = AuthType.Anonymous;
ldapConnection.AutoBind = false;
ldapConnection.Timeout = new TimeSpan(0, 0, 0, 1);
ldapConnection.Bind();
ldapConnection.Dispose();
success = true;
}
catch (LdapException)
{
success = false;
}
return(success);
}
public CustomUser IsCreated(string username, string password, LdapServiceModel ldapServiceModel)
{
_ldapServer = ldapServiceModel.ldapServer;
_ldapPort = ldapServiceModel.ldapPort;
_baseDn = ldapServiceModel.baseDn;
bool success = false;
CustomUser customUser = null;
//username must be user full domain name. build UID string
string modUsername = "******" + username + _baseDn;
//string tempPath = "LDAP://ldap.server.com:389/uid=admin,o=Users,dc=okta,dc=com";
_ldapPath = string.Format("LDAP://{0}:{1}", _ldapServer, _ldapPort);
DirectoryEntry entry = new DirectoryEntry(_ldapPath, modUsername, password);
entry.AuthenticationType = AuthenticationTypes.None;
try
{
// Bind to the native AdsObject to force authentication.
// if no exception, then login successful
Object connected = entry.NativeObject;
DirectorySearcher directorySearcher = new DirectorySearcher(entry);
directorySearcher.Filter = "(uid=" + username + ")";
SearchResult result = directorySearcher.FindOne();
if (result != null)
{
User oktaUser = new User();
customUser = new CustomUser(oktaUser);
string path = result.Path;
customUser.Profile.LastName = (String)result.Properties["sn"][0];
customUser.Profile.FirstName = (String)result.Properties["givenname"][0];
customUser.Profile.Email = (String)result.Properties["mail"][0];
//success = true;
}
}
catch (LdapException ldapException)
{
//add additional error handling
if (ldapException.ErrorCode.Equals(LDAPError_InvalidCredentials))
{
success = false;
}
success = false;
}
catch (Exception ex)
{
//add additional error handling
success = false;
}
return(customUser);
}
public MigrationController(ILogger <MigrationController> logger, IConfiguration config, ICredAuthentication ldap)
{
_logger = logger;
_config = config;
_credAuthentication = ldap; //the service is injected by the GL app, the parameters are passed in on the method call
_ldapServiceModel = new LdapServiceModel();
_ldapServiceModel.ldapServer = _config.GetValue <string>("ldapSettings:ldapServer");
_ldapServiceModel.ldapPort = _config.GetValue <string>("ldapSettings:ldapPort");
_ldapServiceModel.baseDn = _config.GetValue <string>("ldapSettings:baseDn");
}
public bool IsAuthenticated(string username, string password, LdapServiceModel ldapServiceModel)
{
_ldapServer = ldapServiceModel.ldapServer;
_ldapPort = ldapServiceModel.ldapPort;
_baseDn = ldapServiceModel.baseDn;
_ldapPath = string.Format("LDAP://{0}:{1}", _ldapServer, _ldapPort);
bool success = false;
//username must be user full domain name. build UID string
string modUsername = "******" + username + _baseDn;
try
{
LdapDirectoryIdentifier ldapDirectoryIdentifier = new LdapDirectoryIdentifier(_ldapServer, Convert.ToInt16(_ldapPort), true, false);
LdapConnection ldapConnection = new LdapConnection(ldapDirectoryIdentifier);
//LdapConnection ldapConnection = new LdapConnection(new LdapDirectoryIdentifier((_ldapServer + (":" + _ldapPort))));
//ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((con, cer) => true);
//ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.SessionOptions.ProtocolVersion = 3;
ldapConnection.AuthType = AuthType.Basic;
//ldapConnection.AuthType = AuthType.Negotiate;;
ldapConnection.Timeout = new TimeSpan(0, 0, 10);
ldapConnection.Credential = new NetworkCredential(modUsername, password);
ldapConnection.Bind();
//if bind does not cause error then it is successful
ldapConnection.Dispose();
//_logger.Debug("ldap successfully validated username " + username);
success = true;
}
catch (LdapException ldapException)
{
//add additional error handling
if (ldapException.ErrorCode.Equals(LDAPError_InvalidCredentials))
{
success = false;
}
success = false;
}
catch (Exception ex)
{
//add additional error handling
success = false;
}
return(success);
}
public ActionResult ValidateUser()
{
PswMigrationResponse pswMigrationRsp = new PswMigrationResponse();
LdapServiceModel ldapServiceModel = null;
CustomUser oktaUser = null;
string username = null;
string password = null;
username = Request["username"];
password = Request["password"];
ldapServiceModel = new LdapServiceModel();
ldapServiceModel.ldapServer = appSettings["ldap.server"];
ldapServiceModel.ldapPort = appSettings["ldap.port"];
ldapServiceModel.baseDn = appSettings["ldap.baseDn"];
//use received username and password to bind with LDAP
//if password is valid, set password in Okta
try
{
//check username in Okta and password status
oktaUser = _oktaUserMgmt.GetCustomUser(username);
}
catch (OktaException)
{
//trap error, handle User is null
}
if (oktaUser != null)
{
if (string.IsNullOrEmpty(oktaUser.Profile.IsPasswordInOkta) || oktaUser.Profile.IsPasswordInOkta == "false")
{
//check user credentials in LDAP
bool rspIsAuthenticated = _credAuthentication.IsAuthenticated(username, password, ldapServiceModel);
if (rspIsAuthenticated)
{
//set password in Okta
bool rspSetPsw = _oktaUserMgmt.SetUserPassword(oktaUser.Id, password);
if (rspSetPsw)
{
//update attribute in user profile when set password successful
oktaUser.Profile.IsPasswordInOkta = "true";
bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(oktaUser);
if (rspPartialUpdate)
{
pswMigrationRsp.status = "set password in Okta successful";
pswMigrationRsp.isPasswordInOkta = "true";
}
else
{
pswMigrationRsp.status = "set password in Okta successful";
pswMigrationRsp.isPasswordInOkta = "unknown";
}
}
else
{
//update attribute in user profile when set password fails
oktaUser.Profile.IsPasswordInOkta = "true";
bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(oktaUser);
if (rspPartialUpdate)
{
pswMigrationRsp.status = "set password in Okta failed";
pswMigrationRsp.isPasswordInOkta = "false";
}
else
{
pswMigrationRsp.status = "set password in Okta failed";
pswMigrationRsp.isPasswordInOkta = "unknown";
}
}
}
else
{
//arrive here is user creds not validated in Ldap
pswMigrationRsp.status = "LDAP validation failed";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
else
{
//no work required
pswMigrationRsp.status = oktaUser.Status;
pswMigrationRsp.isPasswordInOkta = "true";
}
//build response
pswMigrationRsp.oktaId = oktaUser.Id;
pswMigrationRsp.login = oktaUser.Profile.Login;
}
else
{
//arrive here if user not found in Okta
//check user credentials and get profile from LDAP
CustomUser rspCustomUser = _credAuthentication.IsCreated(username, password, ldapServiceModel);
if (rspCustomUser != null)
{
rspCustomUser.Profile.Login = username + _userdomain;
Okta.Core.Models.Password pswd = new Okta.Core.Models.Password();
pswd.Value = password;
rspCustomUser.Credentials.Password = pswd;
//create Okta user with password
rspAddCustomUser = _oktaUserMgmt.AddCustomUser(rspCustomUser);
if (rspAddCustomUser != null)
{
Uri rspUri = new Uri("https://tbd.com");
bool rspActivate = _oktaUserMgmt.ActivateUser(rspAddCustomUser, out rspUri);
if (rspActivate)
{
rspCustomUser.Profile.IsPasswordInOkta = "true";
bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(rspAddCustomUser);
if (rspPartialUpdate)
{
pswMigrationRsp.oktaId = rspAddCustomUser.Id;
pswMigrationRsp.login = rspAddCustomUser.Profile.Login;
pswMigrationRsp.status = "Created in Okta";
pswMigrationRsp.isPasswordInOkta = "true";
}
else
{
pswMigrationRsp.oktaId = rspAddCustomUser.Id;
pswMigrationRsp.login = rspAddCustomUser.Profile.Login;
pswMigrationRsp.status = "Created in Okta";
pswMigrationRsp.isPasswordInOkta = "unknown";
}
}
else
{
pswMigrationRsp.oktaId = "none";
pswMigrationRsp.login = "******";
pswMigrationRsp.status = "User NOT Created in Okta";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
else
{
pswMigrationRsp.oktaId = "none";
pswMigrationRsp.login = "******";
pswMigrationRsp.status = "User NOT Created in Okta";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
else
{
pswMigrationRsp.oktaId = "none";
pswMigrationRsp.login = "******";
pswMigrationRsp.status = "User NOT Created in Okta";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
return(Content(content: JsonConvert.SerializeObject(pswMigrationRsp), contentType: "application/json"));
}
