Visus.LdapAuthentication 1.8.0

.NET 5.0
There is a newer version of this package available.
See the version list below for details.
dotnet add package Visus.LdapAuthentication --version 1.8.0
NuGet\Install-Package Visus.LdapAuthentication -Version 1.8.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Visus.LdapAuthentication" Version="1.8.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add Visus.LdapAuthentication --version 1.8.0
#r "nuget: Visus.LdapAuthentication, 1.8.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install Visus.LdapAuthentication as a Cake Addin
#addin nuget:?package=Visus.LdapAuthentication&version=1.8.0

// Install Visus.LdapAuthentication as a Cake Tool
#tool nuget:?package=Visus.LdapAuthentication&version=1.8.0

ASP.NET Core LDAP Authentication Middleware

Build Status Visus.LdapAuthenticationVersion

This library implements middleware for ASP.NET Core that enables authenticating users against LDAP directories like Active Directory via an LDAP bind. The library is using Novell's C#-only LDAP library rather than the Windows-only DirectoryServices and is therefore running on Windows and Linux.

Built-in user objects are automatically mapped to Active Directory attributes and include commonly used claims like user name, actual names, e-mail addresses and group memberships. If necessary, you can also provide your own user object that uses a completely different mapping of LDAP attributes to claims.


Add the authentication service

The authenication functionality is added in ConfigureServices via the following statements:

public void ConfigureServices(IServiceCollection services) {
    // ...
    // Add LDAP authentication with default LdapUser object.
        var options = new LdapOptions();
    // ...

The above code uses the default LdapUser object from the library, which provides the most commonly used user claims. If you need additional claims or differently mapped claims, you can create your own user class either by inheriting from LdapUserBase and customising its behaviour or by implementing ILdapUser from scratch. The configuration would look like the following in this case:

public void ConfigureServices(IServiceCollection services) {
    // ...
    // Add LDAP authentication with customised user object.
        var options = new LdapOptions();
    // ...

Configure the LDAP server

The configuration section can have any name of your choice as long as it can be bound to LdapConfiguration. Alternatively, you can use your own implementation of ILdapConfiguration. The following example illustrates a fairly minimal configuration for an Active Directory using SSL, but no certificate validation (this is what you would use for development purposes):

    "LdapConfiguration": {
        "Server": "",
        "SearchBase": "DC=your-domain,DC=de",
        "Schema": "Active Directory",
        "IsRecursiveGroupMembership": true,
        "Port": 636,
        "IsSsl": true,
        "IsNoCertificateCheck": true

Authenticate a user

Once configured, the middleware can be used in controllers to implement cookie-based or JWT-based authorisation. An example for a cookie-based login method looks like:

// Inject ILdapAuthenticationService to _authService field in constructor.

public async Task<ActionResult<ILdapUser>> Login([FromForm] string username, [FromForm] string password) {
    try {
        var retval = this._authService.Login(username, password);
        await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, retval.ToClaimsPrincipal(CookieAuthenticationDefaults.AuthenticationScheme));
        return this.Ok(retval);
    } catch {
        return this.Unauthorized();

Customising the user object

The built-in LdapUser object provides a reasonably mapping of attributes in an Active Directory to user claims. There are two ways you can customise this behaviour.

The first one is by inheriting from LdapUserBase, which actually implements all of the behaviour of LdapUser. This way enables you to inherit most of this behaviour and override the mapping on a per-property base. As the mapping configured via attributes is not inherited, you can simply override a property and attach a new mapping like this:

public sealed class CustomApplicationUser : LdapUserBase {

    /// <summary>
    /// The user's account name.
    /// </summary>
    /// <remarks>
    /// Here, the &quot;userPrincipalName&quot; is used instead of
    /// &quot;sAMAccountName&quot; used by <see cref="LdapUser" />. Furthermore,
    /// only the <see cref="ClaimTypes.WindowsAccountName" /> claim is set to
    /// this property, whereas <see cref="LdapUser" /> also sets
    /// <see cref="ClaimTypes.Name" />. All other attribute mappings and claim
    /// mappings are inherited from <see cref="LdapUserBase" /> and therefore
    /// behave like the default <see cref="LdapUser" />.
    /// </remarks>
    [LdapAttribute(Schema.ActiveDirectory, "userPrincipalName")]
    public override string AccountName => base.AccountName;

If you need an even higher level of customisation, you can provide a completely new implementation of ILdapUser and fully control the whole mapping of LDAP attributes to properties and claims. Before doing so, you should also consider whether you can achieve your goals by overriding one or more of LdapUserBase.AddGroupClaims and LdapUserBase.AddPropertyClaims.

Searching users

In some cases, you might want to search users objects without authenticating the user of your application. One of these cases might be restoring the user object from the claims stored in a cookie. A service account specified in ILdapOptions.User with a password stored in ILdapOptions.Password can be used in conjuction with a ILdapSearchService to implement such a behaviour. First, configure the service:

public void ConfigureServices(IServiceCollection services) {
    // ...
    // Add LDAP search service using service account.
        var options = new LdapOptions();
    // ...

Assuming that you have the embedded the user SID in the claims of an authentication cookie, you then can restore the user object from the cookie as follows:

// Inject ILdapSearchService to _ldapSearchService field in constructor.

public ActionResult<ILdapUser> GetUser() {
    if (this.User != null) {
        // Determine the claims we know that the authentication service has
        // stored the SID to.
        var claims = ClaimAttribute.GetClaims<LdapUser>(nameof(LdapUser.Identity));

        // Return the first valid SID that allows for reconstructing the user.
        foreach (var c in claims) {
            var sid = this.User.FindFirstValue(c);
            if (!string.IsNullOrEmpty(sid)) {
                var retval = this._ldapSearchService.GetUserByIdentity(sid);

                if (retval != null) {
                    return this.Ok(retval);

    // If something went wrong, we assume that the (anonymous) user must not
    // access the user details.
    return this.Unauthorized();
Product Compatible and additional computed target framework versions.
.NET net5.0 is compatible.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed. 
Compatible target framework(s)
Additional computed target framework(s)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.11.0 141 9/11/2023
1.10.0 209 8/29/2023
1.9.0 236 8/4/2023
1.8.0 478 5/7/2023
1.7.1 147 4/28/2023
1.7.0 108 4/28/2023
1.6.0 148 4/26/2023
1.5.0 2,341 5/19/2021
1.4.0 286 4/27/2021
1.3.0 261 4/27/2021
1.2.1 264 4/5/2021
1.1.0 289 4/3/2021
1.0.0 306 4/3/2021

Added the ability to set the authentication type of claims identities/principals created by the extension methods.