The membership services provided in ASP.NET are very rich and flexible. As part of that flexibility they allow to store the identities and roles of your web site users in a variety of providers, typically SQL Server or Active Directory.
What if the requirement of your application make it so the best place for the identities is an LDAP repository but you don’t want Active Directory? Well, Windows Server provides a role called AD LDS – Active Directory Lightweight Directory Services. Basically an LDAP repository with some Active Directory capabilities.
Creating and Authenticating user in an ASP.NET application works mostly out of the box simply by changing the provider to active directory and pointing it to the AD LDS, however when it comes to authorization the story is very different. The provider that comes with the Framework just doesn’t work. It was made for ADAM, the previous version of AD LDS and it just doesn’t work.
The best implementation guide is the one from MSDN:
http://msdn.microsoft.com/en-us/library/ms998331.aspx
Following that guide you will get AD LDS working and authentication working. For authorization the best post I found is this:
This solution almost work, however there are a couple defects in the source code that will fail in runtime and since the real work is done via interop with COM the error messages doesn’t help very much.
The defects has to do with the fact that the ConnectionString is never really obtained from the app.config / web.config . The way the code was written makes it so the connection string used is always the one in the source code regardless of what is on the web.config.
The following source code is mostly the same code from the page above but it implements the Initialize method to read the connectionstring from the web.config
Source Code AzManRoleProvider.cs