2 Replies Latest reply on Sep 10, 2015 10:40 AM by Nikolay Karetnikov

    Blueprint authentication in a domain tree

    Nikolay Karetnikov Navigator

      Hello!

      Please consider the following setup

       

      =============================

      Blueprint works in multiple domain environment.

      local1.paramount.com

      local2.paramount.com

      A user exists in both domains with the identical network ID (which is before @)

      usertwin@local1.paramount.com

      usertwin@local2.paramount.com

       

      When a Lexmark Authentication script tries to find up a user in dc=paramount,dc=com it fails as could not unambiguously identify which usertwin is the right one.

      ===========================

       

      What the script does:

       

       

      I see the following lines in  Authentication script

       

       

                  string serverUri = "LDAP://10.10.10.10:389/DC=paramount,DC=com";

       

                  string adminDn = "administrator@paramount.com";

                  string adminPassword = "password";

       

       

      LdapSearchResult result = LdapUtils.FindLdapUser(

       

                      serverUri, adminDn, adminPassword, authenticationType,

                      filterFormat, filterParameters, resultProperties, password); 

       

      which actually performs the search.

       

      Is there anyway (a filter parameter or a resultProperties option, perhaps) to make Ldap.Utils stop as soon as it finds a match and return it before a thorough search is complete?

       

      Kind of resultPropeties.exactSearch=False, for example

       

      Or may be there is a documentation on scripting language?

       

      Any ideas would be very welcomed!

       

        • Re: Blueprint authentication in a domain tree
          David Teviotdale Adventurer

          The "scripting language" is C#, so you could replace the LdapUtils.FindLdapUser() call above with your own code that uses functions in the Microsoft.Net System.DirectoryServices or System.DirectoryServices.Protocols namespaces.The LdapSearchResult returned by LdapUtils.FindLdapUser() is just a utility wrapper around a System.DirectoryServices.SearchResult.

           

          Some additional notes on Authentication Scripts:

           

          All scripts must implement the interface IAuthenticate which has a single function.

                  Identity Authenticate(Inputs inputs);

           

          This function is called every time the EDI receives a LogonUser2 call.

          The Inputs is a <IdentityInput> that has been converted into a C# object.

          The Identity returned is converted into a <ReferID>.

          This begs the question, then where does a <IdentityInputAssertion> come from?

          Answer : By throwing an exception.  I’m not kidding, it’s really that horrible.

           

          To create an <IdentityInputAssertion>,  create an Input object (not to be confused with the Inputs) and validate the Input against the Inputs.

           

          To run through multiple validation steps, you can call validate() multiple times.

          Note: when Input ISN’T present in Inputs, the Authenticate function will exit, and then be called again when terminal returns with the new Inputs.

            So:

          1. You can tell where you are by seeing what fields the object holds.
          2. Authenticate needs to be written realizing that it can be called multiple times.

           

          i.e. Do your validates at the start of the function to determine where you are. Once you've determined that Inputs has all the Input you need, do any other processing.

           

          Some code samples showing how to do assorted common things:

           

          Tell terminal to ask for EITHER a Card swipe (CardID) or User name (UserID)

           

              Choice choice = new Choice("Swipe card or enter PIN");

              choice.AddOption(new Input(AuthenticationHelper.InputCardId, "CardReader", Enumerations.IdentifierType.Card));

              choice.AddOption(new Input(AuthenticationHelper.InputUserId, "Keyboard", Enumerations.IdentifierType.Network));

              choice.Validate(inputs); // will cause control to return from script if not supplied

          Tell terminal to ask for User name AND Password

           

              Input userIdInput = new Input(AuthenticationHelper.InputUserId, "Keyboard", Enumerations.IdentifierType.Network);

              userIdInput.Prompt = "Enter Network ID";

              Input passwordInput = new Input(AuthenticationHelper.InputPassword, "Keyboard");

              passwordInput.Prompt = "Enter Password";

              passwordInput.Persist = false;

              passwordInput.Display = false;

              userIdInput.And(passwordInput).Validate(inputs); // will cause control to return from script if not supplied

           

          Extract UserID from terminal response.

          Note, terminal response is the Inputs parameter supplied to the Authenticate() function

           

              Input userIdInput;

              if (inputs.TryGetValue(AuthenticationHelper.InputUserId, out userIdInput))

           

          Create a minimal Identifier (for user "davidt").

           

              Identity identity = new Identity();

              identity.AddItem(new IdentityItem("NetworkId", "davidt", Enumerations.IdentifierType.Network, IsReferId.True));

              return identity;

            

          Scripting Objects

           

          Identity

          Manages information (e.g. network identifiers, card identifiers, full name, email address) that represents a single employee.

          Functions:

          • AddItem( IdentityItem item ) – add an additional IdentityItem (see below) to the object.

          Properties:

          • Items – provides access to the Dictionary object storing IdentityItem objects. It is indexed by name. Refer to Dictionary in the .NET Framework Online help.

          IdentityItem

          • IdentityItem( string name, string data, Enumerations.IdentifierType identifierType ) – store an employee’s identifier (e.g. network ID, card ID). You must specify the identifier type (see below).
          • IdentityItem( string name, string data, Enumerations.IdentifierType identifierType, IsReferId isReferId ) – store an employee’s identifier (e.g. network ID, card ID) and mark it as the employee’s “best” identifier. You must specify the identifier type (see below).
          • Name – a unique name that represents the data being stored
          • IdentifierType – the type of identifier being stored (Enumerations.IdentifierType):
          • Card – represents a card ID
          • Employee – represents a HR or payroll ID
          • Network – represents a network ID
          • IsReferId – true if the identifier is considered the employee’s “best” identifier. Jobs logged during a terminal session, e.g. released print jobs, will be logged against this identifier.

          Inputs

          IdentityProvider

          Provides access to identity information from the Blueprint database.

          • Functions:
            • Identity FindIdentity( Enumerations.IdentifierType identifierType, string identifierData ) – Returns the Identity object representing the provided identifier information.Searches the Blueprint database for an identifier where its type matches “identifierType” and its data matches “identifierData”. If the identifier is found, returns a valid Identity object representing the identifier and its hierarchy (e.g. its other related identifiers). If the identifier is not found, an exception is thrown.

          LdapUtils

          • LdapSearchResult FindLdapUser( string serverUri, string adminDN, string adminPassword, AuthenticationTypes authenticationType, string filterFormat, object[] filterParameters, string[] resultProperties, string userPassword ) – Finds the LDAP user. Optionally authenticates the user given a password. Creates a DirectoryEntry object that connects to the specified LDAP service (serverUri) using the specified credentials (adminDN and adminPassword). It creates a DirectorySearcher object to a find the account (using the filterFormat and filterParameters). If the account is found, it validates that the password is correct. It returns the values requested in resultProperties. If an error occurs (including an invalid password), an exception is thrown. Refer to DirectorySearcher (and authentication types, filter format and result properties) in the .NET Framework Online help.

          LdapSearchResult

          • bool ContainsProperty( string name ) – Returns true if the specified “name” exists in the return results.
            • Re: Blueprint authentication in a domain tree
              Nikolay Karetnikov Navigator

              Thank you David on this input!

              Currently, the problem is solved by

              string[] serversUri= new string[]

                              {

                              "LDAP://10.10.10.10:3268/DC=sub1,DC=domain,DC=com",

                              "LDAP://10.10.10.10:3268/DC=sub2,DC=domain,DC=com",

                              "LDAP://10.10.10.10:3268/DC=sub3,DC=domain,DC=com",

                              };

              and calling LdapSearchResult result = LdapUtils.FindLdapUser

              foreach string[i]