LdapDirectoryAccountStore Class


Specifies properties about connecting to, authenticating users against, and generating claims from an LDAP-based account store. As a top level member of the TrustPolicy’s TrustedAccountStores collection, it represents an ADAM account store. As a property of an ActiveDirectoryAccountStore object it specifies LDAP-related configuration for Active Directory.

Namespace:   System.Web.Security.SingleSignOn
Assembly:  System.Web.Security.SingleSignOn (in System.Web.Security.SingleSignOn.dll)

public sealed class LdapDirectoryAccountStore : AccountStore


Initializes a new instance of the LdapDirectoryAccountStore class.


Gets or sets whether the trust with this realm is currently active. If this is set, no tokens will be accepted from this partner.(Inherited from TrustPolicyEntryBase.)


Gets or set the distinguished name for the base object from which searches for user objects are conducted. Searches will include all subtrees of the base object.


Gets or sets the distinguished name of an object to which to bind in order to validate user credentials. This property must be null for Active Directory.


Gets or sets a LdapClaimGeneration object, which specifies how to generate claims from user object attributes.


Gets or sets the port number to use for LDAP network requests. Defaults to 389. This property must be null for Active Directory.


Gets or sets the host name to use for LDAP network requests. This property must be null for Active Directory.


Gets or sets the name of the LDAP attribute which contains the user name of authenticating users.


Gets or sets the display name for this TrustPolicyEntry.(Inherited from TrustPolicyEntry.)


Gets or sets the Uri for this TrustPolicyEntry.(Inherited from TrustPolicyEntry.)


Sets or gets a Boolean that indicates whether to use a Secure Sockets Layer (SSL) connection. true indicates that SSL will be used, false indicates SSL will not be used.


Gets or sets the universal unique identifier (UUID) for this TrustPolicyEntryBase object.(Inherited from TrustPolicyEntryBase.)


(Inherited from Object.)


(Inherited from Object.)


(Inherited from Object.)


(Inherited from Object.)

The LdapDirectoryAccountStore class is part of the Federation Service’s trust policy configuration.

To authenticate username/password credentials to an ADAM account store, this sequence of events is followed:

  1. The Federation Service establishes an authenticated connection by doing a secure bind to the distinguished name specified by the LdapBaseDN property using the default credentials for the Federation Service application pool.

  2. Using the authenticated connection, the Federation Service finds a user object for the authenticating user by performing a subtree search for an object whose username attribute, specified by the LdapUsernameAttrib property, matches the username in the credentials.

  3. The Federation Service attempts a simple bind with the DN found in step 2 and the password in the credentials to the DN specified by the LdapBindObjectDN property, if specified, or else the LdapBaseDN property.

  4. If step 3 succeeds, the user is authenticated, and attributes are extracted per the LdapClaimGeneration object from the user account found in step 2.

The following properties must be null when the LdapDirectoryAccountStore is part of an ActiveDirectoryAccountStore:

These properties are optional for Active Directory:

Any public static ( Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Return to top

Community Additions