OpenNTF.org - ISAPI LDAP Filter

My Links (Not logged in)

Code Bin Search

Codebin RSS Feed

OpenNTF Code Bin

About This Code

Brief Description:

ISAPI LDAP Filter

Rating:

Contributor:

Steve Duncan

Category:

Design Elements

Type:

System info

Document Release:

Notes Version:

R5.x

Last Modified:

15 Jun 2005

OpenNTF Disclaimer

All of the program code and information presented in the OpenNTF.org Code Bin are provided "as-is", and should be used at your own risk. OpenNTF.org make no express or implied warranty about anything in the Code Bin, and OpenNTF.org will not be responsible or liable for any damage caused by the use or misuse of anything from this site. OpenNTF.org makes no guarantees about anything. Please thoroughly test all of the knowledge and code you find here before you attempt to use them in your production environment.

Code / Description

This is an ISAPI filter that you can use on an IIS box to authenticate against an LDAP server. The source code is not included here but I will send it to anyone that wants it.

There is a readme included in the zip file

Usage / Example

Code Attachments

ISAPI.zip (1051 Kbytes)

ISAPI2.zip (1051 Kbytes)

ISAPI_Source.zip (1143 Kbytes)

Comments

Posted by Mark Bryson on 01/21/2003 09:51:23 AMNT Username

Excellent posting & perfectly timed (from my point of view). I see in your readme that you recommend creating an NT login and to use this in the .ini file. Does this mean changing the way that IIS normally works with domino, i.e. running as a service?

Posted by Steve Duncan on 03/14/2003 02:26:42 PMISAPI

Posted by Steve Duncan on 03/14/2003 02:29:55 PMISAPI

Posted by Steve Duncan on 07/03/2003 09:06:33 AMISAPI

Hi Mark I apologize for not getting back to you on this but I have been away from Notes for a couple of months. I have not used the filter in the manner that you have mentioned. I have used it on IIS only to serve up asp pages, but it allowed me to use the notes ldap for authentication.

Posted by David Shepherd on 09/08/2003 01:14:00 PMLDAP Server Compatibility

Will this work against other LDAP Servers and not just notes. I can install the code successfully, eg the filter installs but it never seems to make any ldap request to the LDAP Server. Any clues would be gratefully recieved.
Many thanks
David Shepherd

Posted by Simon Oliver on 03/24/2004 07:11:21 AMLDAP search filter

Steve, AuthFilt works well. I'm using it to authenticate against a Novell NDS LDAP server. One thing I would like to add is a filter option so that I can have more control over the users that get access:
FILTER = (&(groupMembership=ou=unit,o=org)(objectClass=posixAccount))
Is this feature available? If not, can I have a copy of the source code - I'm not a real programmer but I know some C and a bit about LDAP so hopefully should be able to hack the code.

Posted by Steve Duncan on 03/24/2004 02:51:34 PMLDAP Search Filter

Hi Simon
If you change SEARCHBASE=ou=UNIT,o=ORG in the ini you should be able to filter down to the ou level. Not sure if would support your full filter, but I doubt it. It has been years since I hacked this together from a microsoft sample and an ldap book. Drop me an email and I would be glad to send you the code.
Steve
sduncan@soft-ally.com

Posted by Afiss BILEOMA on 11/12/2004 03:22:03 PMUser Login

Hello,
I am trying to use AuthFilt aginst a Domino server and it's working well. My web server an IIS server 5.0. The only one problem I have is that people are authenticated when they use their Lotus Notes short Name (in Domino adress Book) as login. With Lotus Notes Full Name the authentication fails.
May be this is hard coded in the dll, may be need I to add some information authfilt.ini.
Any clues would be gratefully recieved.
Best regards,
Afiss
abileoma@yahoo.com

Posted by Steve Duncan on 11/12/2004 04:27:03 PMshortname

Hello Afiss
Unfortunately you are correct that it will only authenticate on the shortname(uid in ldap). Do you want it to auth against either or does you company only use the fullname? You could try remapping uid to the fullname or I could send you the code and you could change the filter to fullname.
The other thing would be if you are using both an iis server and an domino web server would be to look at IIS SSO(http://www.openntf.org/Projects/codebin/codebin.nsf/CodeBySubContributor/8016EB7A34C7930086256E9A0019EC2D). I have been doing more of this than the ldap stuff lately because it is more flexible and users do not have to log in again.
Drop me an email if you have any questions
sduncan@soft-ally.com

Posted by Afiss BILEOMA on 11/14/2004 03:48:02 PMFilter code

Dear Steve,
Thanks for your quick answer. If I could have the code of the filter, this will help me a lot.
Actually my company policy is to have fullname ("First name Last name") as login for web authentication.
SSO clue is a good idea but a little bit hard to simply implement while we have a lot NT Domains to trust
Regards,
Afiss
abileoma@yahoo.com

Posted by Tom Van den Abbeele on 01/19/2005 07:33:10 AMPassword caching

Hello,
I'm currently using this isapi module to authenticate users to an Novell NDS over LDAP and this works fine. But when a user changes his/her password on the Novell server, the new password can only be used after a restart of the IIS server, before that the old password remains active. Logging shows only authentication requests to the LDAP server the first time a user successfully logs on after the IIS restarted..
Is there a solution for this problem?
thx,
Tom

Posted by Steve Duncan on 01/19/2005 09:28:41 AMYou are right

Hi Tom
You are exactly right with what is happening. The filter caches the password for the last 100 users, and the only way it gets cleared out is by 100 people logging in since you or a restart of IIS. This has been an issue for a while and I have been meaning to get to it along with alot of other things. If you are a C++ person I am more than willing to share the code with you as long as you are willing to share your changes with everyone, if you don't know C++, I can only promise to take a look at it when I can, fortunately or unfortunately I am really busy right now so I can't promise a delivery date.
Steve

Posted by Tom Van den Abbeele on 01/19/2005 09:53:23 AMPassword caching

Steve,
I can imagine you are to busy to deal with this right now and you can't solve every new issue right away. But since it's either changing the code myself or look for a complete other solution, I would be happy to take a look at it and share the changes afterwards with you ... It's worth a try!!
Thanks a lot,
Tom

Posted by Steve Duncan on 01/20/2005 12:32:23 PMPassword Caching

Hey Tom
I got ambitious today and added some code to take care of the caching, try it out. ISAPI2.zip
S

Posted by Tom Van den Abbeele on 01/24/2005 07:34:41 AMPassword Caching

Steve, it works fine now, thanks a lot!!
Tom

Posted by thor rudi on 02/14/2005 06:13:56 AMWhy not share the source code?

Is it possible to get a look at the sorce code? How does your code differ from the one used by the guys at www.inflectioncorp.com?

Posted by Steve Duncan on 02/14/2005 12:40:54 PMCode

Sure send me an email and I will send it. About 5 years ago I wanted to connect IIS to our notes ldap server and could not find anything. I found an <a href="http://www.codeguru.com/Cpp/I-N/isapi/filters/article.php/c1297/">ISAPI sample</a> on MS that used a text file as the user database, bought an ldap book and was able to cobble together a working version. 75% of the code in there is from the MS sample, 20% from the ldap cook book, and 5% is just hacked.
I have rarely made any updates because it does what my client needs it to do and I have been switching over to a different method of integrating environments(http://www.openntf.org/Projects/codebin/codebin.nsf/CodeSearch/8016EB7A34C7930086256E9A0019EC2D).
As for how it differs from inflectioncorp or any of the other filters out there, you would have to test it. The only thing this filter does is authenticate ldap users, no authorization functionality, no group functionality, or anything else.

Posted by Tom Van den Abbeele on 02/17/2005 03:27:27 AMNull password = anonymous bind !!!

Steve,
It seems that any users can login when providing a username along with an empty password. Although it is standard LDAP behaviour according the RFC to convert any user who provides an empty password to an anonymous bind, we don't want this to happen in our IIS authentication.
Is it possible to change this as well (just deny a login with an empty password) in your code or to send me your code (to tom.vda @ send-e.net) if you don't have time to change this one of the following days?
thanks,
Tom

Posted by Tom Van den Abbeele on 02/21/2005 10:41:18 AMNull password = anonymous bind !!!

Is it possible to help me with this problem? By blocking empty passwords or to send me the code so I can do this myself?
thx,
Tom

Posted by john f kattar on 06/02/2005 03:36:48 PMPlease send source for ISAPI LDAP Filter

Steve,
Could you email me the source for ISAPI LDAP Filter
thanks
john

Posted by Steve Duncan on 06/15/2005 05:49:09 PMSource Code

The source code is now posted. I always planned on trying to clean up the code one day, but that day has never come

Posted by Trist�o vd Haar Pinto on 06/16/2008 04:41:06 AMworks, thnx

Dear Steve
We use your solution to perform authentication with Novell eDir credentials, works like a charm
Thnx for sharing your solution :-)
cheers
Tristo

Posted by Gino St-Pierre on 06/12/2009 02:44:18 PMWindows 64

Did someone tested it on a Win64 box ? I've been using this for some years now to validate with Netware eDirectory and it's work great. Our new server is running Windows 2003 64 bits and and can't make the ISAPI filter to work. Did someone got into this ? I downloaded the source but i don't know how i could build a 64 bits DLL.
Thanks,
Gino