Directory Binding and Search

Hi Joe and All

Here are the lines of code I have tried, but seems like authentication was
not successful, as it returned just the sn whether or not (nName, pwd,
AuthenticationType.Secure) was specified. When I tried the same credentials
with ldp.exe and I was able to get the attributes I wanted.

By the way, for my application setting, I have not turned on impersonation
yet, but I assume this should not make any difference as credential was
specified when doing the bind, right? Did I do anything wrong in binding?
Any idea?

TIA


String uName = "cn=Administrator, cn=Users, dc=domain, dc=com";
String pwd = "admpwd";
String searchPath = "ldap://ou=myou, dc=domain, dc=com";
//Bind to the server and authenticate
DirectoryEntry entry = new DirectoryEntry(searchPath, uName,
pwd, AuthenticationTypes.Secure);
//DirectoryEntry entry = new DirectoryEntry(searchPath);
Object native = entry.NativeObject;

//do a DirectorySearch
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.PropertiesToLoad.Add("sn");
mySearcher.PropertiesToLoad.Add("givenName");
mySearcher.PropertiesToLoad.Add("telephoneNumber") ;

mySearcher.Filter = "(objectClass=user)";

SearchResultCollection resEntAll = mySearcher.FindAll();


"Joe Kaplan (MVP - ADSI)" <accenture.com> wrote
in message news:phx.gbl... [/ref]
AD [/ref]
wrote [/ref][/ref]
security [/ref][/ref]
can 
> > executing [/ref][/ref]
the 
> > OU. [/ref][/ref]
I [/ref][/ref]
DirectorySearcher(myEnt); 
> > wrote [/ref][/ref]
the [/ref][/ref]
code 
> >
> >[/ref]
>
>[/ref]

--

[Joe]

A few points here:

- lowercase "ldap" doesn't work in ADSI binding strings. Always use LDAP.
- With AuthenticationTypes.Secure, don't use the DN syntax for username.
Use either NT name (domain\user), UPN (com) or plain username.
Note that domain\user and UPN work with all authenticationtypes, so they are
the most flexible.

That said, if the search works in ldp.exe with those credentials, you should
be able to get the same search working in S.DS. They use the same mechanics
under the hood.

Joe K.

<dl> wrote in message news:phx.gbl... [/ref]
> AD [/ref]
> wrote [/ref]
> security [/ref]
> can [/ref]
> the [/ref]
> I [/ref]
> DirectorySearcher(myEnt); [/ref]
> the [/ref]
> code 
>>
>>[/ref]
>
> --
>
>
>[/ref]

Thanks Joe. But if the search did work, would it be the foreach loop, which
I posted earlier (in the other thread "listing Object properties from
SearchResult"), giving me the problem? did I do anything wrong there? I
suspect the index y never get set in the second foreach loop, that could be
why I was getting "sn" only, i.e. y=0 as it was initialized.

TIA


"Joe Kaplan (MVP - ADSI)" <accenture.com> wrote
in message news:phx.gbl... 
LDAP. 
are 
should 
mechanics [/ref]
was [/ref]
impersonation [/ref]
binding? [/ref]
dc=com"; [/ref]
wrote [/ref][/ref]
for [/ref][/ref]
searches [/ref][/ref]
get [/ref][/ref]
with 
> > wrote 
> > security 
> > can 
> > the [/ref][/ref]
a [/ref][/ref]
news:%phx.gbl... [/ref][/ref]
this 
> > I 
> > DirectorySearcher(myEnt); [/ref][/ref]
mySearcher.FindAll(); [/ref][/ref]
<accenture.com> [/ref][/ref]
that [/ref][/ref]
of [/ref][/ref]
news:phx.gbl... [/ref][/ref]
some 
> > code [/ref][/ref]
for 
> >
> > --
> >
> >
> >[/ref]
>
>[/ref]

I did changed to LDAP, and use NT name format, and yet getting same results!

on the other hand, if authentication did work,
1. why would I get the same result even if no credential was specified in
the DirectoryEntry statement?
2. would there be something wrong with the SearchResult / PropertyCollection
class, has anyone tried listing the properties using these class before?
3. is there any other way to get the key:value pair from a
SearchResultCollection?

TIA

"Joe Kaplan (MVP - ADSI)" <accenture.com> wrote
in message news:phx.gbl... 
LDAP. 
are 
should 
mechanics [/ref]
was [/ref]
impersonation [/ref]
binding? [/ref]
dc=com"; [/ref]
wrote [/ref][/ref]
for [/ref][/ref]
searches [/ref][/ref]
get [/ref][/ref]
with 
> > wrote 
> > security 
> > can 
> > the [/ref][/ref]
a [/ref][/ref]
news:%phx.gbl... [/ref][/ref]
this 
> > I 
> > DirectorySearcher(myEnt); [/ref][/ref]
mySearcher.FindAll(); [/ref][/ref]
<accenture.com> [/ref][/ref]
that [/ref][/ref]
of [/ref][/ref]
news:phx.gbl... [/ref][/ref]
some 
> > code [/ref][/ref]
for 
> >
> > --
> >
> >
> >[/ref]
>
>[/ref]

[Joe]

Sorry, can you show the sample code that isn't working again? I lost the
other thread.

Joe K.

<dl> wrote in message news:phx.gbl... 
> LDAP. 
> are 
> should 
> mechanics [/ref]
> was [/ref]
> impersonation [/ref]
> binding? [/ref]
> dc=com"; [/ref]
> wrote [/ref]
> for [/ref]
> searches [/ref]
> get [/ref]
> with [/ref]
> a [/ref]
> news:%phx.gbl... [/ref]
> this [/ref]
> mySearcher.FindAll(); [/ref]
> <accenture.com> [/ref]
> that [/ref]
> of [/ref]
> news:phx.gbl... [/ref]
> some [/ref]
> for 
>>
>>[/ref]
>
>[/ref]

Hi Joe / All

Here are the complete lines of code, again. Would you have the spare time to
take the code and try it somewhere, just to see if you would get the same
results?

I am thinking of replacing the second foreach loop with
resEnt.GetDirectoryEntry().Properties("sn").Value
resEnt.GetDirectoryEntry().Properties("givenName") .Value
resEnt.GetDirectoryEntry().Properties("telephoneNu mber").Value

not sure if the above changes would make any difference, but I don't have
access to my development server yet, I will have to test run it later today.

By the way, I have put this in a *.cs files and compile that to a library
and put under /bin.

TIA
--------------
public DataTable List(String CustOU, String CustDC)
{
//formating Dir path
//String uName = "cn=administrator, cn=Users, dc=domain,
dc=com";
String uName = "domain.com" + "\\" + "administrator";
String pwd = "admpwd";
String searchPath = "LDAP://ou=" + CustOU + "," + CustDC;
//Bind to the server and authenticate
DirectoryEntry entry = new DirectoryEntry(searchPath, uName,
pwd, AuthenticationTypes.Secure);
Object native = entry.NativeObject;

//do a DirectorySearch
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.PropertiesToLoad.Add("sn");
mySearcher.PropertiesToLoad.Add("givenName");
mySearcher.PropertiesToLoad.Add("telephoneNumber") ;

mySearcher.Filter = "(objectClass=user)";

SearchResultCollection resEntAll = mySearcher.FindAll();

//define a DataTable
DataTable dt = new DataTable();
DataRow dr;
dt.Columns.Add(new DataColumn("Last_Name", typeof(string)));
dt.Columns.Add(new DataColumn("Given_Name", typeof(string)));
dt.Columns.Add(new DataColumn("Telephone", typeof(string)));

//propagate result to a dataTable and return
//bool doWrite; not used
//string s, g, t;
int i = 0, y = 0;
foreach (SearchResult resEnt in resEntAll)
{
i++;
dr = dt.NewRow();
foreach (string propKy in resEnt.Properties.PropertyNames)
{
switch (propKy)
{
case "sn":
y = 0;
break;
case "givenName":
y = 1;
break;
case "telephoneNumber":
y = 2;
break;
default:
y = 3;
break;
}

if (y < 3)
{
ResultPropertyValueCollection valcol =
resEnt.Properties[propKy];
foreach (Object prop in valcol)
{
dr[y] = prop.ToString();
}
}
}
dt.Rows.Add(dr);
}
entry.Dispose();
return dt;
}


"Joe Kaplan (MVP - ADSI)" <accenture.com> wrote
in message news:phx.gbl... [/ref]
in [/ref]
wrote 
> > LDAP. [/ref][/ref]
they 
> > should 
> > mechanics [/ref][/ref]
authentication [/ref][/ref]
pwd, 
> > impersonation [/ref][/ref]
was 
> > binding? 
> > dc=com"; [/ref][/ref]
uName, [/ref][/ref]
DirectorySearcher(entry); 
> > wrote 
> > for 
> > searches [/ref][/ref]
to [/ref][/ref]
DirectoryEntry(strpath, [/ref][/ref]
last 
> > with [/ref][/ref]
<accenture.com> [/ref][/ref]
you [/ref][/ref]
before [/ref][/ref]
using [/ref][/ref]
the 
> > news:%phx.gbl... 
> > this [/ref][/ref]
and 
> > mySearcher.FindAll(); 
> > <accenture.com> 
> > that [/ref][/ref]
subset 
> > news:phx.gbl... 
> > some [/ref][/ref]
the [/ref][/ref]
value 
> >
> >[/ref]
>
>[/ref]

[Joe]

I guess I would probably write the code slightly differently:
if (res.Contains("sn"))
sn = (string) res.Properties["sn"][0];
else
sn = null;

Then, just put those string values in the data table.

You should not have to get the DirectoryEntry object to read the values.
They should be available from the search as the same security context is
being applied. Additionally, you never want to do this:
resEnt.GetDirectoryEntry().Properties("sn").Value
resEnt.GetDirectoryEntry().Properties("givenName") .Value
resEnt.GetDirectoryEntry().Properties("telephoneNu mber").Value

GetDirectoryEntry creates a new DirectoryEntry object with each call, so
that would allocate three of them and hit the network each time. Not good!
Also, DirectoryEntry objects should always be wrapped in a using statement
(or try/finally...dispose in VB.NET) to avoid memory leaks. The code above
will leak all three of those DirectoryEntry objects.

HTH,

Joe K.


<dl> wrote in message news:uSh4i%phx.gbl... [/ref]
> in [/ref]
> wrote [/ref]
> they [/ref]
> authentication [/ref]
> pwd, [/ref]
> was [/ref]
> uName, [/ref]
> DirectorySearcher(entry); [/ref]
> to [/ref]
> DirectoryEntry(strpath, [/ref]
> last [/ref]
> <accenture.com> [/ref]
> you [/ref]
> before [/ref]
> using [/ref]
> the [/ref]
> and [/ref]
> subset [/ref]
> the [/ref]
> value 
>>
>>[/ref]
>
>[/ref]

Hi Joe
Thanks for your guidance and your "code slightly differently". Finally I
got it moving and found that no authentication is required in this case,
because I have a login.aspx which has already created a cookie. The other
thing is I just duplicate your four lines of code couple times to include
all the properties I required. Just don't know why the second foreach loop
didn't work.

I really appreciate your help.

one last thing, I saw your reply to other thread on LDAP authentication,
just wonder why wouldn't you recommend using LDAP for authentication?

"Joe Kaplan (MVP - ADSI)" <accenture.com> wrote
in message news:eb1LNM%phx.gbl... 
good! 
above [/ref]
time [/ref]
same [/ref]
have [/ref]
library [/ref]
resEnt.Properties.PropertyNames) [/ref]
wrote [/ref][/ref]
the [/ref][/ref]
specified 
> > wrote [/ref][/ref]
use 
> > they [/ref][/ref]
you 
> > authentication 
> > pwd, [/ref][/ref]
credential [/ref][/ref]
dc=com"; 
> > uName, [/ref][/ref]
DirectoryEntry(searchPath); 
> > DirectorySearcher(entry); [/ref][/ref]
mySearcher.FindAll(); [/ref][/ref]
<accenture.com> [/ref][/ref]
helpful [/ref][/ref]
news:phx.gbl... 
> > DirectoryEntry(strpath, 
> > last 
> > <accenture.com> [/ref][/ref]
the [/ref][/ref]
that [/ref][/ref]
properties. 
> > before [/ref][/ref]
that 
> > using [/ref][/ref]
verify [/ref][/ref]
difference. [/ref][/ref]
entries [/ref][/ref]
? [/ref][/ref]
DirectoryEntry(strPath); [/ref][/ref]
mySearcher.PropertiesToLoad.Add("telephoneNumber") ; 
> > subset [/ref][/ref]
list [/ref][/ref]
but 
> > value [/ref][/ref]
valco 
> >
> >[/ref]
>
>[/ref]

[Joe]

LDAP isn't really an authentication protocol. LDAP simple bind is totally
insecure (passes plain text credentials on network), so unless it is
combined with SSL on the LDAP server, you shouldn't use it. You can use
Secure bind with LDAP on AD, but that is essentially just using Kerberos or
NTLM anyway.

Another problem with LDAP auth, especially with System.DirectoryServices, is
that it doesn't scale. Due to the way ADSI works, it will open a new
connection to the LDAP server for each new user authenticated. If you have
many simultaneous users, you will likely run out of TCP/IP wild card ports.

Don't get me wrong, there are some valid uses for LDAP as an auth protocol.
However, it is generally better to use SSPI if you can. Also, in many
instances where people are using Forms auth against AD, they would have been
better off just using Windows auth in the first place. It just depends.

The downside is that the only easy mechanism MS gives you in .NET 1.x to
authenticate against AD programmatically is LDAP/S.DS. Most of these other
APIs require p/invoke and some more complicated programming. The story is
better with .NET 2.0.

Joe K.

<dl> wrote in message news:phx.gbl... 
> good! 
> above [/ref]
> time [/ref]
> same [/ref]
> have [/ref]
> library [/ref]
> resEnt.Properties.PropertyNames) [/ref]
> wrote [/ref]
> the [/ref]
> specified [/ref]
> use [/ref]
> you [/ref]
> credential [/ref]
> dc=com"; [/ref]
> DirectoryEntry(searchPath); [/ref]
> mySearcher.FindAll(); [/ref]
> <accenture.com> [/ref]
> helpful [/ref]
> news:phx.gbl... [/ref]
> the [/ref]
> that [/ref]
> properties. [/ref]
> that [/ref]
> verify [/ref]
> difference. [/ref]
> entries [/ref]
> ? [/ref]
> DirectoryEntry(strPath); [/ref]
> mySearcher.PropertiesToLoad.Add("telephoneNumber") ; [/ref]
> list [/ref]
> but [/ref]
> valco 
>>
>>[/ref]
>
>[/ref]