Skip to content

LDAP

LDAP

The Identity module has built-in LdapExternalLoginProvider and OpenLdapManager services. It implements LDAP authentication and gets user info for external login.

The cross-platform LdapForNet library is used for Windows LDAP authentication. See LdapForNet GitHub repository for more information.

How to Enable LDAP External Login?

You need to enable the LDAP login feature and configure related settings.

Customize Built-in Services

The default OpenLdapManager service uses $"cn={userName},{BaseDc}" to normalize user name, and use $"(&(uid={userName}))" to search for users, use mail as attribute name to get email.

The value of BaseDc is the setting of the "Base domain component".

If your username has a prefix or a specific format, you can override the NormalizeUserNameAsync method of OpenLdapManager to handle it. You can also customize the GetUserFilterAsync and GetUserEmailAsync methods.

[Dependency(ReplaceServices = true)]
[ExposeServices(typeof(OpenLdapManager), typeof(ILdapManager), typeof(LdapManager))]
public class CustomOpenLdapManager : OpenLdapManager
{
    public CustomOpenLdapManager(ILdapSettingProvider ldapSettingProvider)
        : base(ldapSettingProvider)
    {

    }

    protected override async Task<string> NormalizeUserNameAsync(string userName)
    {
        // or "userName@domain 
        // await LdapSettingProvider.GetDomainAsync()
        return Task.FromResult($"Volo\\{userName}");
    }

    protected override Task<string> GetUserFilterAsync(string userName)
    {
        // Default is $"cn={userName},{LdapOptions.BaseDc}"
        return return Task.FromResult($"(&(objectClass=user)(sAMAccountName={userName}))");
    }

    protected override Task<string> GetUserEmailAsync(LdapEntry ldapEntry)
    {
        return Task.FromResult(ldapEntry.ToDirectoryEntry().GetAttribute("mail")?.GetValue<string>());
    }
}

Besides, $"uid={userName}, {BaseDc}" is used in the built-in LdapExternalLoginProvider service to normalize the username; you have to change it together.

public class CustomLdapExternalLoginProvider : LdapExternalLoginProvider
{
    public CustomLdapExternalLoginProvider(
        IGuidGenerator guidGenerator,
        ICurrentTenant currentTenant,
        IdentityUserManager userManager,
        IIdentityUserRepository identityUserRepository,
        OpenLdapManager ldapManager,
        ILdapSettingProvider ldapSettingProvider,
        IFeatureChecker featureChecker,
        ISettingProvider settingProvider,
        IOptions<IdentityOptions> identityOptions)
        : base(guidGenerator,
            currentTenant,
            userManager,
            identityUserRepository,
            ldapManager,
            ldapSettingProvider,
            featureChecker,
            settingProvider,
            identityOptions)
    {

    }

    protected override async Task<string> NormalizeUserNameAsync(string userName)
    {
        // Default is $"uid={userName}, {BaseDc}"
        // or "userName@domain 
        // await LdapSettingProvider.GetDomainAsync()
        return Task.FromResult($"Volo\\{userName}");
    }
}

Replace the default implementation with CustomLdapExternalLoginProvider.

public override void ConfigureServices(ServiceConfigurationContext context)
{
    //...
    Configure<AbpIdentityOptions>(options =>
    {
        options.ExternalLoginProviders.Remove(LdapExternalLoginProvider.Name);
        options.ExternalLoginProviders.Add<CustomLdapExternalLoginProvider>(LdapExternalLoginProvider.Name);
    });
    //...
}

LDAP test application

Testing the LDAP configuration using your ABP application might be time-consuming. The following simple Dotnet Console App is for testing your LDAP configuration. Before configuring your LDAP settings, you can test the information via this app to see if it works