- 6 minutes to read

Configuring the Nodinite LDAP Web API

Before you can use the Nodinite LDAP Web API, you must first configure connectivity and optional logging options.

There are two configuration files:

  • appsettings.json - product key and debug settings
  • settings.json - connection information. This file will automatically be partially encrypted to protect sensitive data like passwords used.

settings files

appsettings.json

The appsettings.json file must be edited manually. Use Notepad++ or some other text editor. Open the file with administrative privileges so you have the rights to save it once your typing is complete.

Product Key

You must provide the CustomerName and a Key. These are time-limited and must be exchanged every year.

A License can be bought from most of our Partners and you can always contact us at info@nodinite.com for guidance and recommendations to quickly get you started.

settings.json

The settings.json file must be edited manually. Use Notepad++ or some other text editor. Open the file with administrative privileges so you have the right to save it once your typing is complete.

Connection information

The Connections part is an array of connections. There can be any number of connections defined. The client/consumer provides this identity part of the call to the LDAP Web API.

You can use multiple accounts with different rights for different operations. Part of your API call, you will send the Id of the configuration to use (a Guid).

...
"LdapSettings": {
    "Settings": [
      {
        "AuthenticationType": 65,
        "Id": "5a95449b-95a6-4a9b-bfb4-f5292cbd3122",
        "DSAServer": "WILDWESTAD01",
        "DSAServerPort": 389,
        "UserName": "WildWest\\LDAPServiceAccount",
        "Password": "myverys3cretP4$$w0rd!"
      },
      {
        "AuthenticationType": 1,
        "Id": "6a95449b-95a6-4a9b-bfb4-f5292cbd3123",
        "DSAServer": "WILDWESTAD01",
        "DSAServerPort": 636,
        "UserName": "WildWest\\LDAPServiceAccount",
        "Password": "myverys3cretP4$$w0rd!"
      }
    ]
  },
...
Property Example
AuthenticationType 65 Flags Enum
Id 5a95449b-95a6-4a9b-bfb4-f5292cbd3122 any unique GUID
DSAServer WILDWESTAD01 String, DNS Name
DSAServerPort 636 Positive Integer
UserName WildWest\LDAPServiceAccount String, User name for connection to LDAP Catalog Service
Password myverys3cretP4$$w0rd! String, the password for user
The password must be provided in clear text for first-time usage. The password will then be detected as being in plain text and will be encrypted on the first invocation (for example, use the GetDomainControllers method to invoke). The encryption locks the current configuration to the named account. If you change the user name, and/or the password, you must specify the password in clear text again, and then it will be re-encrypted.

AuthenticationTypes

The AuthenticationTypes is a flags enum and can therefore honour multiple options selected.

For example, the value 65 means Secure + Signing

Value Name Description
0 None Equates to zero, which means to use basic authentication (simple bind) in the LDAP provider
1 Secure Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating
2 Encryption/SecureSocketsLayer Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory
4 ReadonlyServer For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, this flag indicates that a writable server is not required for a serverless binding
16 Anonymous No authentication is performed
32 FastBind Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI does not verify if any of the request objects actually exist on the server. For more information, see the topic "Fast Binding Option for Batch Write/Modify Operations" in the MSDN Library at http:msdn.microsoft.com/library. For more information about the objectClass property, see the "Object-Class" topic in the MSDN Library at msdn.microsoft.com/library.
64 Signing Verifies data integrity to ensure that the data received is the same as the data sent. The System.DirectoryServices.AuthenticationTypes.Secure flag must also be set to use signing
128 Sealing Encrypts data using Kerberos. The System.DirectoryServices.AuthenticationTypes.Secure flag must also be set to use sealing
256 Delegation Enables Active Directory Services Interface (ADSI) to delegate the user's security context, which is necessary for moving objects across domains
512 ServerBind If your ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for serverless paths. Specifying a server name without also specifying this flag results in unnecessary network traffic

How to enable LDAP signing in Windows Server

NOTE: Make sure to run as secure as you possibly can!

"You can significantly improve the security of a directory server by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification), or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection"

Please review the How to enable LDAP signing in Windows Server user guide

Connection Id

The Id (a guid), used to identify this connection in the Settings collection.

Once this Id has been set, it should only be changed if you explicitly want client operations to fail. If you change this value, then the clients must also be updated to reflect the change

Example: 5a95449b-95a6-4a9b-bfb4-f5292cbd3122

DSAServer

The DSAServer, is usually the DNS name for the target domain controller for Active Directory. You may use an IP-address for some operations, and also for some other LDAP Catalog services. Consult the documentation from that vendor for additional information.

Example: WILDWESTAD01

DSAServerPort

The DSAServerPort is the TCP or UDP port to use connecting with the LDAP Catalog Service. For Active Directory the default is 389 or 636 for encrypted communication. The latter requires a valid certificate. Review the SSL-LDAPS for Active Directory user guide for additional information.

Example. 636

The Nodinite LDAP Products uses additional TCP and UDP ports, review the TCP and UDP ports user guide for additional information

Some operations should be encrypted, usually using port 636. Some operations are not supported using encrypted communication. The solution is to use different connections, using different ports.

Logging

Review the 'Enable Logging' user guide for additional information.


Next Step

Install