Re: DirectorySearcher - SearchResult - User Groups
From: George Durzi (gdurzi_at_hotmail.com)
Date: 12/16/04
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Dec 2004 10:00:57 -0700
Joe,
I looked up tokenGroups, and they definitely look like a better way to
determine group membership. In the meantime, I've gotten my othercode to
work.
I consolidated the authentication, and the membership checking into the same
function. Because, as you mentioned, the second search isn't really
necessary at all.
Here's my function:
public string IsAuthenticatedGetGroups (string Domain, string UserName,
string Password)
{
string sGroups = string.Empty;
string DomainUserName = string.Concat(Domain, @"\", UserName);
try
{
DirectoryEntry oDE = new DirectoryEntry(
_path, // LDAP Connect String
DomainUserName, // User
Password, // Password
AuthenticationTypes.Secure); // Authentication Type
Object oNativeObject = oDE.NativeObject;
DirectorySearcher oDS = new DirectorySearcher(oDE);
oDS.Filter = string.Concat("(&(objectClass=user)(SAMAccountName=",
UserName, "))");
oDS.PropertiesToLoad.Add("CN");
oDS.PropertiesToLoad.Add("memberOf");
SearchResult oSR = oDS.FindOne();
if (null == oSR)
return string.Empty;
else
{
if (oSR.Properties["memberOf"] == null)
return string.Empty;
else
{
int iPropertyCount = oSR.Properties["memberOf"].Count;
StringBuilder sbGroupNames = new StringBuilder();
string dn;
int equalsIndex, commaIndex;
for (int i = 0; i < iPropertyCount; i++)
{
dn = (string)oSR.Properties["memberOf"][i];
equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
if (-1 == equalsIndex) return string.Empty;
sbGroupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
equalsIndex) - 1));
sbGroupNames.Append("|");
}
sGroups = sbGroupNames.ToString();
}
}
}
catch (Exception)
{
return string.Empty;
}
return sGroups;
}
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:eInuyX44EHA.2608@TK2MSFTNGP10.phx.gbl...
> You probably want the DN for your search root to be the domain root, which
> is likely to be:
> DC=corp,DC=isacorp,DC=com
>
> The search below uses the actual user's DN (making the search not really
> necessary at all), so it would need to be base-level if you were going to
> do that.
>
> That said, I don't recommend the approach suggested by that article for
> getting group membership. I think you should consider using tokenGroups
> instead to discover security group membership. If you do some Google
> groups searches on tokenGroups, you should see some samples.
>
> Joe K.
>
> "George Durzi" <gdurzi@hotmail.com> wrote in message
> news:OVaffC44EHA.1596@tk2msftngp13.phx.gbl...
>> Hi,
>> I'm having trouble fetching the AD groups a user belongs to after
>> authenticating them against Active Directory. My code is based on the How
>> To for using Forms Authentication to authenticate against AD
>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;326340)
>>
>> LDAP ConnectString:
>> LDAP://VN-SRV-DC01.corp.isacorp.com/DC=corp,DC=isacorp,DC=com
>> Domain Name: VN-SRV-DC01.corp.isacorp.com
>>
>> Initially, when I use the DirectorySearcher to find cn=gdurzi, the path
>> of the results is:
>> LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>
>> My code does the following to get the users groups does the following:
>>
>> DirectorySearcher oDS = new
>> DirectorySearcher("LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com");
>> oDS.Filter ="(cn=gdurzi)";
>> oDS.PropertiesToLoad.Add("memberOf");
>> try {
>> SearchResult oSR = oDS.FindOne();
>>
>> I get an Exception on the call to FindOne. "The specified domain either
>> does not exist or could not be contacted"
>>
>> After binding to the VN-SRV-DC01.corp.isacorp.com domain in ldp.exe, I
>> can do a search for cn=gdurzi successfully by using a Base DN of:
>> CN=Users,DC=corp,DC=isacorp,DC=com
>>
>> ***Searching...
>> ldap_search_s(ld, "CN=Users,DC=corp,DC=isacorp,DC=com", 1, "CN=gdurzi",
>> attrList, 0, &msg)
>> Result <0>: (null)
>> Matched DNs:
>> Getting 1 entries:
>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>> 4> objectClass: top; person; organizationalPerson; user;
>> 1> cn: gdurzi;
>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>> 1> name: gdurzi;
>> 1> canonicalName: corp.isacorp.com/Users/gdurzi;
>>
>>
>> If I open the enterprise tree in ldp.exe and find my cn, here's what I
>> get:
>>
>> Expanding base 'CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com'...
>> Result <0>: (null)
>> Matched DNs:
>> Getting 1 entries:
>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>> 4> objectClass: top; person; organizationalPerson; user;
>> 1> cn: gdurzi;
>> 1> sn: Durzi;
>> 1> givenName: George;
>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>> 1> instanceType: 4;
>> 1> whenCreated: 11/24/2004 22:38:51 US Mountain Standard Time US Mountain
>> Standard Time;
>> 1> whenChanged: 12/16/2004 7:58:12 US Mountain Standard Time US Mountain
>> Standard Time;
>> 1> displayName: George Durzi;
>> 1> uSNCreated: 8471;
>> 2> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC=com;
>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>> 1> uSNChanged: 349743;
>> 1> name: gdurzi;
>> 1> objectGUID: 2975a92e-fb4b-4141-a0de-482dca83d95b;
>> 1> userAccountControl: 0x10200;
>> 1> badPwdCount: 0;
>> 1> codePage: 0;
>> 1> countryCode: 0;
>> 1> badPasswordTime: <ldp error <0x0>: cannot format time field;
>> 1> lastLogon: <ldp error <0x0>: cannot format time field;
>> 1> logonHours: <ldp: Binary blob>;
>> 1> pwdLastSet: <ldp error <0x0>: cannot format time field;
>> 1> primaryGroupID: 513;
>> 1> userParameters: m: d ;
>> 1> objectSid: S-1-5-21-1561616353-131408304-1539857752-1612;
>> 1> accountExpires: 0;
>> 1> logonCount: 12;
>> 1> sAMAccountName: gdurzi;
>> 1> sAMAccountType: 805306368;
>> 1> userPrincipalName: gdurzi;
>> 1> objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=isacorp,DC=com;
>> 1> msNPAllowDialin: TRUE;
>> -----------
>>
>> You can see that the memberOf property properly pulls the groups my cn is
>> a member of:
>>
>> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC=com;
>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>
>>
>> Any idea why my code is error'ing at the call to FindOne?
>>
>
>
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: DirectorySearcher - SearchResult - User Groups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
