This project is read-only.

edirAuth is a .NET library for LDAP authentication to NetIQ © (formerly Novell©) eDirectory. If you are a NetIQ Identity Management user you are probably using eDirectory for authentication in some way and this library can be plugged into your ASP.NET or other application.

To use this library add edirAuth.dll as a resource to your project. You also need to add Novell.Directory.Ldap.dll and Mono.Security.dll. The Novell LDAP library uses the Mono security library to implement LDAPS.

Here is an example:

//Instantiate the EdirAuthorizer object
EdirAuthorizer edirAuthorizer = new EdirAuthorizer("myServer", 636, "cn=authUser,ou=sa,o=system", "myPassword", "ou=users,o=data", "uid");
//Authenticate the user.
AuthInfo authInfo = auth.authenticate("my_uid", "password");
  Console.WriteLine("login success");
  Console.WriteLine("login fail");


How to get the Novell Lib

Download the LDAP Libraries for C#. Extract Novell.Directory.Ldap.dll and add it to your project.

How to setup Mono for LDAPS

Download and install Mono 
Get a cert from eDirectory in DER format 
Add the cert to the Mono trusted root store

CD C:\Program Files\Mono-2.10.8\bin \
certmgr -add -c Trust c:\myServer.cer



How to use edirAuth

First call the EdirAuthorizer constructor passing in these parameters:

  • LDAP server name and port
  • The distinguished name (DN) and password of the user that will bind to eDirectory and authorize users.
  • The search base (ex: ou=users,o=data) in the eDirectory tree of the uses that you will authenticate.
  • The name of the attribute that users will supply identify themselves. This attribute is often "uid", but some organizations use a custom attribute (ex: xyzcoLoginID). edirAuth does an LDAP lookup to find the object in eDirectory so it can verify the password and check restrictions .

Next call the EdirAuthorizer authenticate(user, pass) method, then check the allowLogin property of the AuthInfo object returned by the authenticate() method. If allowLogin = true then the password was correct and loginDisabled, lockedByIntruder, loginExpirationTime were verified. The AuthInfo also has properties that can tell you why authentication failed/succeeded. AuthInfo has the properties below which have result code and desc properties.


A console application is included. To use it first edit the app.config file as needed. Then run the edirAuthConsole.exe <username> <password> and parse the output as needed to get your results.

edirAuthConsole.exe someUID somePassword


Unit Tests

The unit test are designed around specific test accounts. You can create all the test accounts in eDirectory needed for the unit tests by importing the .ldif file included in the project and setting the passwords. The ldif file defines accounts that are loginDisabled, lockedByIntruder, expired, or free from restrictions. You can change the accounts so long as the app.config in the test project can be updated to reflect the changes in the accounts. The edirAuthTests app.config file has a section that defines the test accounts and passwords, test bind user and password, plus other values needed for unit tests.

Additional Info

edirAuth was tested against eDirectory 8.8.6. If you do not have this version you can download it here. 
"Connection.freeWriteSemaphore(-2): semaphore not owned by any thread" means that the server cannot be found. Double check your server name.

Last edited Jul 24, 2013 at 1:25 PM by Hill5Air, version 7


No comments yet.