Active Directory gives up group info for only SOME users
From: Bear (nospam@nospam.com)
Date: 01/22/03
- Next message: Phil Wilson: "Re: How to write WMI Query?"
- Previous message: Bruno D'Amico: "SID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bear" <nospam@nospam.com> Date: Wed, 22 Jan 2003 12:02:37 -0500
Our ASP.NET app is secured with forms authentication and validates users
against Active Directory. Using one of the functions in the code below, we
can get group (role) information from Active Directory for SOME users but
not for all.
All users for whom we're requesting group information are registered in
Active Directory - they have passed the IsAuthenticated function below. The
app then calls the getUserGroups function below to retrieve group
information from Active Directory.
For a couple of users, we can retrieve group information, and if we change
their group membership at the server the changes are seen immediately when
the getUserGroups function below is called. However for other users, we
cannot retrieve any group information - the Active Directory "memberOf"
property returns nothing to the getUserGroups function below.
The couple of users for whom login works OK happen to be administrators with
various high-level privileges, but is this coincidental? Promoting
non-working user identities to all the same high-level rights (making them
members of the same groups such as admin, domain admin, etc.) still does not
make those users' groups available to our application.
This behaviour does not appear to be related to the WINDOWS login of the app
user. The behaviour occurs whether the tester/client user is logged into
WINDOWS as an administrator or as a user. For example, logged in to WINDOWS
as one of the identities which work OK in our app, he can log into our app
using either of the working user identities, but cannot log in as one of the
non-working user identities. Conversely, logged into WINDOWS as one of the
non-working identities he can log into the app as any of the working user
identities but not as any of the non-working identities. The application
runs on IIS under its own low-privilege user account.
What are we missing?
TIA
Public Class LDAPAuthentication
Private _path As String
Private _filterAttribute As String
Private Shared _domain As String
Private Shared _userName As String
Private Shared _password As String
Public Sub New(ByVal path As String)
_path = path
End Sub 'New
Public Function IsAuthenticated(ByVal domain As String, ByVal username As
String, ByVal pwd As String) As Boolean
Dim domainAndUsername As String = domain & "\" & username
Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndUsername,
pwd)
Try
' Bind to the native AdsObject to force authentication.
Dim obj As Object = entry.NativeObject
Dim search As DirectorySearcher = New DirectorySearcher(entry)
search.Filter = "(SAMAccountName=" & username & ")"
search.PropertiesToLoad.Add("cn")
Dim result As SearchResult = search.FindOne()
If result Is Nothing Then
Return False
End If
' Update the new path to the user in the directory
_path = result.Path
_filterAttribute = CType(result.Properties("cn")(0), [String])
Catch ex As Exception
Throw ex
End Try
Return True
End Function 'IsAuthenticated
' getUserGroups
' purpose: return bar-separated list of group names
Public Function getUserGroups() As String
Dim search As DirectorySearcher = New DirectorySearcher(_path)
search.Filter = "(cn=" + _filterAttribute + ")"
search.PropertiesToLoad.Add("memberOf")
Dim groupNames As StringBuilder = New StringBuilder()
Try
Dim result As SearchResult = search.FindOne()
Dim propertyCount As Int32
Dim dn As String
Dim equalsIndex As Int32
Dim commaIndex As Int32
Dim propertyCounter As Int32
' ******* PROBLEM OCCURS HERE!!!
' for some users, result.Properties is NOT nothing
' but result.Properties("memberOf") is nothing
If Not result.Properties("memberOf") Is Nothing Then
propertyCount = result.Properties("memberOf").Count
For propertyCounter = 0 To propertyCount - 1
dn = CType(result.Properties("memberOf")(propertyCounter), String)
equalsIndex = dn.IndexOf("=", 1)
commaIndex = dn.IndexOf(",", 1)
If equalsIndex = -1 Then
Return ""
End If
groupNames.Append(dn.Substring(equalsIndex + 1, commaIndex - equalsIndex -
1))
groupNames.Append("|")
Next propertyCounter
' strip off final "|" at end of groupNames
Dim last As Int32 = groupNames.Length - 1
If last > 0 Then
groupNames.Remove(last, 1)
End If
End If
Catch ex As Exception
Throw New Exception("Error obtaining group names. " + ex.Message)
End Try
Return groupNames.ToString
End Function
End Class
- Next message: Phil Wilson: "Re: How to write WMI Query?"
- Previous message: Bruno D'Amico: "SID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
