From RiskWiki
Jump to: navigation, search

Active Directory support through ADSI interface

Language: Delphi 7 - 2007


Provides active directory support for login and password authentication using one of 2 modes - bpcADSIWinNT (winNT lookup), bpcADSILdap (LDAP Lookup), as well as discovery of the current user. This component will work in a loaded DLL on a server as well as a desktop application.

Registers the TbpcADSI component in the Delphi IDE.

Example Canonical Strings:

(Used for LDAP authentication): CN=Fred,DC=bishopphillips,DC=com


  • IF FAuthMode=bpcADSILdap:
  Use where user accounts have bad login lockout enabled.

While WinNT could do the entire access check and return the user object in one step given the username and password, it defaults to kerberos first and if that fails it uses nt. That means that a bad password will receive at least 2, possibly 3 login attempts which will trigger the acount lockout flag on normal account lockout settings. So..we have to use LDAP to test the password...BUT you can't access the user object in AD using LDAP if you don't know the canonical name (full name) which means that merely having the username is insufficient. So we access the Users container instead under LDAP using username and password to authenticate, and if that works we use the WinNT (with either the cached LDAP login, or the launching user login - not sure whether winnt can see ldap caches) to access the user object.

  • IF FAuthMode=bpcADSIWinNT:
  Use where user accounts DO NOT have bad login lockout enabled.  Uses WinNT only (Faster).

uses SysUtils, Classes, ActiveX, Windows, Types, ComCtrls, ExtCtrls, ActiveDs_TLB, adshlp, oleserver, Variants;
  TbpcADPassword = record
    Expired: boolean;
    NeverExpires: boolean;
    CannotChange: boolean;

  TbpcADSIUserInfo = record
    UID: string;
    UserName: string;
    Description: string;
    Password: TbpcADPassword;
    Disabled: boolean;
    LockedOut: boolean;
    Groups: string; //CSV

  TbpcADSIAuthMode = ( bpcADSIWinNT, bpcADSILdap );

  TbpcADSI = class(TComponent)

    FUserName:  string;
    FPassword:  string;
    FCurrentUser: string;
    FCurrentDomain: string;
    FAuthMode : TbpcADSIAuthMode;
    FLDAPCanonical : string;

    function GetCurrentUserName: string;
    function GetCurrentDomain: string;

    { Protected declarations }
    AnonWinNTError : boolean;
    constructor Create(AOwner: TComponent); override;
    destructor Destroy; override;

    property CurrentUserName: string read FCurrentUser;
    property CurrentDomain: string read FCurrentDomain;

    function GetUser(Domain, UserName: string; var ADSIUser: TbpcADSIUserInfo): boolean;
    function Authenticate(Domain, UserName, Group: string): boolean;

    property LoginUserName: string read FUserName write FUserName;
    property LoginPassword: string read FPassword write FPassword; 
    property LDAPCanonical : string read FLDAPCanonical write FLDAPCanonical;
    property AuthMode : TbpcADSIAuthMode read FAuthMode write FAuthMode;