Introduction
With the knowledge of the VOOT protocol in mind we implemented a simple webservice to access Microsoft Active Directory as a group provider. Active Directory will be accessed with the LDAP protocol. Visual Studio 2010 is used as the development environment. The new project is based on the WCF REST services project template. Currently, the tutorial only supports parts of the VOOT protocol.
For access to the LDAP server we used the following component: LDAP library for C#.NET
. The Active Directory server is set up with the default configuration that contains the directories: Builtin and Users.
Webservice methods
The following methods are currently implemented:
- Get all groups - HTTP GET to /groups/@me
- Get all members of a certain group - HTTP GET to /people/@me/
Unknown macro: {group id}
- Get a certain person - HTTP GET to /people/
Unknown macro: {user id}
The code of these methods is as follows:
public class VootService
{
private readonly IVootReader reader;
public VootService()
{
reader = new LdapVootReader(new ConfigurationHelper());
}
[WebGet(UriTemplate = "groups/@me")]
public string IsMemberOf()
{
return reader.IsMemberOf(currentUser);
}
[WebGet(UriTemplate = "people/{userId}")]
public string GetMember(string userId)
{
return reader.GetMember(userId);
}
[WebGet(UriTemplate = "people/@me/{groupId}")]
public string GetGroupMembers(string groupId)
{
return reader.GetGroupMembers(groupId);
}
}
All results are returned in JSON format.
Get all groups
The VootReader class contains the method IsMemberOf(userId) to get all groups the current user is a member of. The LDAP is searched from the base "CN=Users, DN=demo, ..., DN=nl" with the filter "samAccountName=
". The attribute memberOf will return a string array of all group memberships, for example:
{
"CN=TestGroup,CN=Users,DC=demo,DC=..,DC=..,DC=surfnet,DC=nl",
"CN=DemoGroup,CN=Users,DC=demo,DC=..,DC=..,DC=surfnet,DC=nl",
"CN=Administrators,CN=Builtin,DC=demo,DC=..,DC=..,DC=surfnet,DC=nl"
}
All the elements of the array are processed by getting the single LDAP entry that matches the first common name (CN).
Get all members of a certain group
The method GetGroupMembers returns all members of the given group. The LDAP search arguments are equal to the previous method, because in our case the groups are part of the Users directory. Use the groupId as part of the filter.
Again the result is returned as a string array, but this time as value of the member attribute.
Get a certain person
The method GetMember returns the data of the requested user. The main part of the method is:
// Get the entry.
LdapEntry entry = GetEntry(id, configHelper.PeopleDn);
// Process the result.
if (entry != null)
{
LdapAttribute attr = entry.getAttribute("displayName");
if (attr != null)
{
result = new Person { DisplayName = attr.StringValue, Id = id };
}
}
Authentication
For the authentication of the institution's endpoint either 3-legged OAuth version 1.0a or Authorization Code Grant OAuth version 2.0 MUST be supported. In this tutorial only the latter is added as an example. For the user experience the provider SHOULD connect the OAuth provider (responsible for creating and granting access tokens after a successful authentication) to SURFconext in order be establish SSO between the Service Provider, SURFconext and the External Group Endpoint.
That's all folks
Have fun building your own Active Directory group provider with VOOT protocol.
TO DO
- Add the OAuth 2.0 component for 3-legged authentication handling.
- Add extra VOOT request parameters: count, filterBy, filterOp, filterValue, sortOrder, startIndex.
- Add the code to the github directory.
http://www.novell.com/developer/ndk/ldap_libraries_for_c_sharp.html