search

dotnet / AspNetCore.Docs

Documentation for ASP.NET Core
https://docs.microsoft.com/aspnet/core
Creative Commons Attribution 4.0 International
12.64k stars 25.28k forks source link

Code example for linux ldap authentication is incorrect #30226

Open maxbl4 opened 1 year ago

maxbl4 commented 1 year ago

Whole section "Kerberos authentication and role-based access control (RBAC)" https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-7.0&tabs=visual-studio#kerberos-authentication-and-role-based-access-control-rbac Contains invalid code. 

if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
    options.EnableLdap(settings =>
    {
        settings.Domain = "contoso.com";
        settings.MachineAccountName = "machineName";
        settings.MachineAccountPassword =
                          builder.Configuration["Password"];
    });
}

This code will always throw NotSupportedException, because it checks for auth type and credentials. I checked the source code of the library. The only way to make it work currently is to provide code like this:

if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
    options.EnableLdap(settings =>
    {
        settings.Domain = "your.domain";
        var ldapConnection = new LdapConnection(
            new LdapDirectoryIdentifier("your.domain",true, false), 
            new System.Net.NetworkCredential("myuser", "my_user_password", "YOUR.DOMAIN"),
            AuthType.Basic  // Currently only basic auth is supported
        );
        ldapConnection.SessionOptions.ProtocolVersion = 3;
        // This line is important, current version will not work without it
        ldapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
        settings.LdapConnection = ldapConnection;
        // Enabled querying for user groups and transforming them into claims
        settings.EnableLdapClaimResolution = true;
    });
}

Only AuthType.Basic is actually supported. And even after that, when actual user tries to login and the lib is querying DC, it will also fail everytime until you add ldapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None; There are no comments about this is the article

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Rick-Anderson commented 1 year ago

@blowdart please review

blowdart commented 1 year ago

Not me :)

@captainsafia to nominate which dev owns windows auth these days

captainsafia commented 1 year ago

@halter73 I think this might be for you. @Tratcher might be able to help as well.

Tratcher commented 1 year ago

@joperezr