Re: DirectorySearcher - SearchResult - User Groups
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 12/16/04
- Next message: elsa_at_hpl.hp.com: "anonymous settings but getting prompted to login - why?"
- Previous message: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- In reply to: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- Next in thread: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- Reply: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Dec 2004 13:46:20 -0600
Sounds good. One thing to be careful about is that your code looks like it
tries to parse the CN out of the distinguished name of the group and return
that. Be aware that AD can have duplicate CNs (as long as the objects are
in different containers in the hierarchy), so you can get into a lot of
trouble using that for security decisions. Also, I don't think you code
will handle "," characters that are escaped with a \ in the CN which, could
cause your parsing to fail.
That's another reason I hate that sample from kbase. The security practices
it suggests are not very sound at all.
Joe K.
"George Durzi" <gdurzi@hotmail.com> wrote in message
news:elTzSD54EHA.3596@TK2MSFTNGP12.phx.gbl...
> Joe,
> I looked up tokenGroups, and they definitely look like a better way to
> determine group membership. In the meantime, I've gotten my othercode to
> work.
>
> I consolidated the authentication, and the membership checking into the
> same function. Because, as you mentioned, the second search isn't really
> necessary at all.
>
> Here's my function:
>
> public string IsAuthenticatedGetGroups (string Domain, string UserName,
> string Password)
> {
> string sGroups = string.Empty;
> string DomainUserName = string.Concat(Domain, @"\", UserName);
> try
> {
> DirectoryEntry oDE = new DirectoryEntry(
> _path, // LDAP Connect String
> DomainUserName, // User
> Password, // Password
> AuthenticationTypes.Secure); // Authentication Type
>
> Object oNativeObject = oDE.NativeObject;
> DirectorySearcher oDS = new DirectorySearcher(oDE);
>
> oDS.Filter = string.Concat("(&(objectClass=user)(SAMAccountName=",
> UserName, "))");
> oDS.PropertiesToLoad.Add("CN");
> oDS.PropertiesToLoad.Add("memberOf");
>
> SearchResult oSR = oDS.FindOne();
> if (null == oSR)
> return string.Empty;
> else
> {
> if (oSR.Properties["memberOf"] == null)
> return string.Empty;
> else
> {
> int iPropertyCount = oSR.Properties["memberOf"].Count;
> StringBuilder sbGroupNames = new StringBuilder();
>
> string dn;
> int equalsIndex, commaIndex;
>
> for (int i = 0; i < iPropertyCount; i++)
> {
> dn = (string)oSR.Properties["memberOf"][i];
> equalsIndex = dn.IndexOf("=", 1);
> commaIndex = dn.IndexOf(",", 1);
>
> if (-1 == equalsIndex) return string.Empty;
>
> sbGroupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
> equalsIndex) - 1));
> sbGroupNames.Append("|");
> }
> sGroups = sbGroupNames.ToString();
> }
> }
>
> }
> catch (Exception)
> {
> return string.Empty;
> }
> return sGroups;
> }
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:eInuyX44EHA.2608@TK2MSFTNGP10.phx.gbl...
>> You probably want the DN for your search root to be the domain root,
>> which is likely to be:
>> DC=corp,DC=isacorp,DC=com
>>
>> The search below uses the actual user's DN (making the search not really
>> necessary at all), so it would need to be base-level if you were going to
>> do that.
>>
>> That said, I don't recommend the approach suggested by that article for
>> getting group membership. I think you should consider using tokenGroups
>> instead to discover security group membership. If you do some Google
>> groups searches on tokenGroups, you should see some samples.
>>
>> Joe K.
>>
>> "George Durzi" <gdurzi@hotmail.com> wrote in message
>> news:OVaffC44EHA.1596@tk2msftngp13.phx.gbl...
>>> Hi,
>>> I'm having trouble fetching the AD groups a user belongs to after
>>> authenticating them against Active Directory. My code is based on the
>>> How To for using Forms Authentication to authenticate against AD
>>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;326340)
>>>
>>> LDAP ConnectString:
>>> LDAP://VN-SRV-DC01.corp.isacorp.com/DC=corp,DC=isacorp,DC=com
>>> Domain Name: VN-SRV-DC01.corp.isacorp.com
>>>
>>> Initially, when I use the DirectorySearcher to find cn=gdurzi, the path
>>> of the results is:
>>> LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>>
>>> My code does the following to get the users groups does the following:
>>>
>>> DirectorySearcher oDS = new
>>> DirectorySearcher("LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com");
>>> oDS.Filter ="(cn=gdurzi)";
>>> oDS.PropertiesToLoad.Add("memberOf");
>>> try {
>>> SearchResult oSR = oDS.FindOne();
>>>
>>> I get an Exception on the call to FindOne. "The specified domain either
>>> does not exist or could not be contacted"
>>>
>>> After binding to the VN-SRV-DC01.corp.isacorp.com domain in ldp.exe, I
>>> can do a search for cn=gdurzi successfully by using a Base DN of:
>>> CN=Users,DC=corp,DC=isacorp,DC=com
>>>
>>> ***Searching...
>>> ldap_search_s(ld, "CN=Users,DC=corp,DC=isacorp,DC=com", 1, "CN=gdurzi",
>>> attrList, 0, &msg)
>>> Result <0>: (null)
>>> Matched DNs:
>>> Getting 1 entries:
>>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>> 4> objectClass: top; person; organizationalPerson; user;
>>> 1> cn: gdurzi;
>>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>>> 1> name: gdurzi;
>>> 1> canonicalName: corp.isacorp.com/Users/gdurzi;
>>>
>>>
>>> If I open the enterprise tree in ldp.exe and find my cn, here's what I
>>> get:
>>>
>>> Expanding base 'CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com'...
>>> Result <0>: (null)
>>> Matched DNs:
>>> Getting 1 entries:
>>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>> 4> objectClass: top; person; organizationalPerson; user;
>>> 1> cn: gdurzi;
>>> 1> sn: Durzi;
>>> 1> givenName: George;
>>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>>> 1> instanceType: 4;
>>> 1> whenCreated: 11/24/2004 22:38:51 US Mountain Standard Time US
>>> Mountain Standard Time;
>>> 1> whenChanged: 12/16/2004 7:58:12 US Mountain Standard Time US Mountain
>>> Standard Time;
>>> 1> displayName: George Durzi;
>>> 1> uSNCreated: 8471;
>>> 2> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC=com;
>>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>> 1> uSNChanged: 349743;
>>> 1> name: gdurzi;
>>> 1> objectGUID: 2975a92e-fb4b-4141-a0de-482dca83d95b;
>>> 1> userAccountControl: 0x10200;
>>> 1> badPwdCount: 0;
>>> 1> codePage: 0;
>>> 1> countryCode: 0;
>>> 1> badPasswordTime: <ldp error <0x0>: cannot format time field;
>>> 1> lastLogon: <ldp error <0x0>: cannot format time field;
>>> 1> logonHours: <ldp: Binary blob>;
>>> 1> pwdLastSet: <ldp error <0x0>: cannot format time field;
>>> 1> primaryGroupID: 513;
>>> 1> userParameters: m: d ;
>>> 1> objectSid: S-1-5-21-1561616353-131408304-1539857752-1612;
>>> 1> accountExpires: 0;
>>> 1> logonCount: 12;
>>> 1> sAMAccountName: gdurzi;
>>> 1> sAMAccountType: 805306368;
>>> 1> userPrincipalName: gdurzi;
>>> 1> objectCategory:
>>> CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=isacorp,DC=com;
>>> 1> msNPAllowDialin: TRUE;
>>> -----------
>>>
>>> You can see that the memberOf property properly pulls the groups my cn
>>> is a member of:
>>>
>>> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC=com;
>>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>>
>>>
>>> Any idea why my code is error'ing at the call to FindOne?
>>>
>>
>>
>
>
- Next message: elsa_at_hpl.hp.com: "anonymous settings but getting prompted to login - why?"
- Previous message: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- In reply to: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- Next in thread: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- Reply: George Durzi: "Re: DirectorySearcher - SearchResult - User Groups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
