Ask a Question related to ASP.NET Security, Design and Development.
-
George Durzi #1
DirectorySearcher - SearchResult - User Groups
Hi,
I'm having trouble fetching the AD groups a user belongs to after
authenticating them against Active Directory. My code is based on the How To
for using Forms Authentication to authenticate against AD
([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url])
LDAP ConnectString:
LDAP://VN-SRV-DC01.corp.isacorp.com/DC=corp,DC=isacorp,DC=com
Domain Name: VN-SRV-DC01.corp.isacorp.com
Initially, when I use the DirectorySearcher to find cn=gdurzi, the path of
the results is:
LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
My code does the following to get the users groups does the following:
DirectorySearcher oDS = new
DirectorySearcher("LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com");
oDS.Filter ="(cn=gdurzi)";
oDS.PropertiesToLoad.Add("memberOf");
try {
SearchResult oSR = oDS.FindOne();
I get an Exception on the call to FindOne. "The specified domain either does
not exist or could not be contacted"
After binding to the VN-SRV-DC01.corp.isacorp.com domain in ldp.exe, I can
do a search for cn=gdurzi successfully by using a Base DN of:
CN=Users,DC=corp,DC=isacorp,DC=com
***Searching...
ldap_search_s(ld, "CN=Users,DC=corp,DC=isacorp,DC=com", 1, "CN=gdurzi",
attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:4> objectClass: top; person; organizationalPerson; user;>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
1> cn: gdurzi;
1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
1> name: gdurzi;
1> canonicalName: corp.isacorp.com/Users/gdurzi;
If I open the enterprise tree in ldp.exe and find my cn, here's what I get:
Expanding base 'CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:4> objectClass: top; person; organizationalPerson; user;>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
1> cn: gdurzi;
1> sn: Durzi;
1> givenName: George;
1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
1> instanceType: 4;
1> whenCreated: 11/24/2004 22:38:51 US Mountain Standard Time US Mountain
Standard Time;
1> whenChanged: 12/16/2004 7:58:12 US Mountain Standard Time US Mountain
Standard Time;
1> displayName: George Durzi;
1> uSNCreated: 8471;
2> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
1> uSNChanged: 349743;
1> name: gdurzi;
1> objectGUID: 2975a92e-fb4b-4141-a0de-482dca83d95b;
1> userAccountControl: 0x10200;
1> badPwdCount: 0;
1> codePage: 0;
1> countryCode: 0;
1> badPasswordTime: <ldp error <0x0>: cannot format time field;
1> lastLogon: <ldp error <0x0>: cannot format time field;
1> logonHours: <ldp: Binary blob>;
1> pwdLastSet: <ldp error <0x0>: cannot format time field;
1> primaryGroupID: 513;
1> userParameters: m: d ;
1> objectSid: S-1-5-21-1561616353-131408304-1539857752-1612;
1> accountExpires: 0;
1> logonCount: 12;
1> sAMAccountName: gdurzi;
1> sAMAccountType: 805306368;
1> userPrincipalName: gdurzi;
1> objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=is acorp,DC=com;
1> msNPAllowDialin: TRUE;
-----------
You can see that the memberOf property properly pulls the groups my cn is a
member of:
memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com; CN=Remote
Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
Any idea why my code is error'ing at the call to FindOne?
George Durzi Guest
-
okay - what are valid FMS service user groups
its asking for this info on installation... somebody should be able to answer this - you've all had to enter a valid user group for your FMS service... -
User Groups missing in different version of Contribute
Hi, I use Contribute 2.0 for Administration of our website, and the majority of my end-users are using Contribute 2.0 to edit different parts of... -
Directions for quering local SAM (user and groups account) databas
Hello I need directions how to query local SAM (local user and groups on current computer) database against. I know that for quering Active... -
User Groups host Director MX04 presentations
Last week Macromedia announced the release of Director MX 2004. The proven multimedia tool for building rich content and applications has just become... -
Adding user with supplementary groups within jumpstart installation
Hello, When I am jumpstarting my servers (Solaris 9) I am adding system administrators account at the end of the finish script, for that I use... -
Joe Kaplan \(MVP - ADSI\) #2 Re: DirectorySearcher - SearchResult - User Groups
You probably want the DN for your search root to be the domain root, which
is likely to be:
DC=corp,DC=isacorp,DC=com
The search below uses the actual user's DN (making the search not really
necessary at all), so it would need to be base-level if you were going to do
that.
That said, I don't recommend the approach suggested by that article for
getting group membership. I think you should consider using tokenGroups
instead to discover security group membership. If you do some Google groups
searches on tokenGroups, you should see some samples.
Joe K.
"George Durzi" <gdurzi@hotmail.com> wrote in message
news:OVaffC44EHA.1596@tk2msftngp13.phx.gbl...> Hi,
> I'm having trouble fetching the AD groups a user belongs to after
> authenticating them against Active Directory. My code is based on the How
> To for using Forms Authentication to authenticate against AD
> ([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url])
>
> LDAP ConnectString:
> LDAP://VN-SRV-DC01.corp.isacorp.com/DC=corp,DC=isacorp,DC=com
> Domain Name: VN-SRV-DC01.corp.isacorp.com
>
> Initially, when I use the DirectorySearcher to find cn=gdurzi, the path of
> the results is:
> LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>
> My code does the following to get the users groups does the following:
>
> DirectorySearcher oDS = new
> DirectorySearcher("LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com");
> oDS.Filter ="(cn=gdurzi)";
> oDS.PropertiesToLoad.Add("memberOf");
> try {
> SearchResult oSR = oDS.FindOne();
>
> I get an Exception on the call to FindOne. "The specified domain either
> does not exist or could not be contacted"
>
> After binding to the VN-SRV-DC01.corp.isacorp.com domain in ldp.exe, I can
> do a search for cn=gdurzi successfully by using a Base DN of:
> CN=Users,DC=corp,DC=isacorp,DC=com
>
> ***Searching...
> ldap_search_s(ld, "CN=Users,DC=corp,DC=isacorp,DC=com", 1, "CN=gdurzi",
> attrList, 0, &msg)
> Result <0>: (null)
> Matched DNs:
> Getting 1 entries:> 4> objectClass: top; person; organizationalPerson; user;>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
> 1> cn: gdurzi;
> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
> 1> name: gdurzi;
> 1> canonicalName: corp.isacorp.com/Users/gdurzi;
>
>
> If I open the enterprise tree in ldp.exe and find my cn, here's what I
> get:
>
> Expanding base 'CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com'...
> Result <0>: (null)
> Matched DNs:
> Getting 1 entries:> 4> objectClass: top; person; organizationalPerson; user;>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
> 1> cn: gdurzi;
> 1> sn: Durzi;
> 1> givenName: George;
> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
> 1> instanceType: 4;
> 1> whenCreated: 11/24/2004 22:38:51 US Mountain Standard Time US Mountain
> Standard Time;
> 1> whenChanged: 12/16/2004 7:58:12 US Mountain Standard Time US Mountain
> Standard Time;
> 1> displayName: George Durzi;
> 1> uSNCreated: 8471;
> 2> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
> 1> uSNChanged: 349743;
> 1> name: gdurzi;
> 1> objectGUID: 2975a92e-fb4b-4141-a0de-482dca83d95b;
> 1> userAccountControl: 0x10200;
> 1> badPwdCount: 0;
> 1> codePage: 0;
> 1> countryCode: 0;
> 1> badPasswordTime: <ldp error <0x0>: cannot format time field;
> 1> lastLogon: <ldp error <0x0>: cannot format time field;
> 1> logonHours: <ldp: Binary blob>;
> 1> pwdLastSet: <ldp error <0x0>: cannot format time field;
> 1> primaryGroupID: 513;
> 1> userParameters: m: d ;
> 1> objectSid: S-1-5-21-1561616353-131408304-1539857752-1612;
> 1> accountExpires: 0;
> 1> logonCount: 12;
> 1> sAMAccountName: gdurzi;
> 1> sAMAccountType: 805306368;
> 1> userPrincipalName: gdurzi;
> 1> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=is acorp,DC=com;
> 1> msNPAllowDialin: TRUE;
> -----------
>
> You can see that the memberOf property properly pulls the groups my cn is
> a member of:
>
> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com; CN=Remote
> Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>
>
> Any idea why my code is error'ing at the call to FindOne?
>
Joe Kaplan \(MVP - ADSI\) Guest
-
George Durzi #3 Re: DirectorySearcher - SearchResult - User Groups
Joe,
I looked up tokenGroups, and they definitely look like a better way to
determine group membership. In the meantime, I've gotten my othercode to
work.
I consolidated the authentication, and the membership checking into the same
function. Because, as you mentioned, the second search isn't really
necessary at all.
Here's my function:
public string IsAuthenticatedGetGroups (string Domain, string UserName,
string Password)
{
string sGroups = string.Empty;
string DomainUserName = string.Concat(Domain, @"\", UserName);
try
{
DirectoryEntry oDE = new DirectoryEntry(
_path, // LDAP Connect String
DomainUserName, // User
Password, // Password
AuthenticationTypes.Secure); // Authentication Type
Object oNativeObject = oDE.NativeObject;
DirectorySearcher oDS = new DirectorySearcher(oDE);
oDS.Filter = string.Concat("(&(objectClass=user)(SAMAccountName =",
UserName, "))");
oDS.PropertiesToLoad.Add("CN");
oDS.PropertiesToLoad.Add("memberOf");
SearchResult oSR = oDS.FindOne();
if (null == oSR)
return string.Empty;
else
{
if (oSR.Properties["memberOf"] == null)
return string.Empty;
else
{
int iPropertyCount = oSR.Properties["memberOf"].Count;
StringBuilder sbGroupNames = new StringBuilder();
string dn;
int equalsIndex, commaIndex;
for (int i = 0; i < iPropertyCount; i++)
{
dn = (string)oSR.Properties["memberOf"][i];
equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
if (-1 == equalsIndex) return string.Empty;
sbGroupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
equalsIndex) - 1));
sbGroupNames.Append("|");
}
sGroups = sbGroupNames.ToString();
}
}
}
catch (Exception)
{
return string.Empty;
}
return sGroups;
}
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:eInuyX44EHA.2608@TK2MSFTNGP10.phx.gbl...> You probably want the DN for your search root to be the domain root, which
> is likely to be:
> DC=corp,DC=isacorp,DC=com
>
> The search below uses the actual user's DN (making the search not really
> necessary at all), so it would need to be base-level if you were going to
> do that.
>
> That said, I don't recommend the approach suggested by that article for
> getting group membership. I think you should consider using tokenGroups
> instead to discover security group membership. If you do some Google
> groups searches on tokenGroups, you should see some samples.
>
> Joe K.
>
> "George Durzi" <gdurzi@hotmail.com> wrote in message
> news:OVaffC44EHA.1596@tk2msftngp13.phx.gbl...>>> Hi,
>> I'm having trouble fetching the AD groups a user belongs to after
>> authenticating them against Active Directory. My code is based on the How
>> To for using Forms Authentication to authenticate against AD
>> ([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url])
>>
>> LDAP ConnectString:
>> LDAP://VN-SRV-DC01.corp.isacorp.com/DC=corp,DC=isacorp,DC=com
>> Domain Name: VN-SRV-DC01.corp.isacorp.com
>>
>> Initially, when I use the DirectorySearcher to find cn=gdurzi, the path
>> of the results is:
>> LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>
>> My code does the following to get the users groups does the following:
>>
>> DirectorySearcher oDS = new
>> DirectorySearcher("LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com");
>> oDS.Filter ="(cn=gdurzi)";
>> oDS.PropertiesToLoad.Add("memberOf");
>> try {
>> SearchResult oSR = oDS.FindOne();
>>
>> I get an Exception on the call to FindOne. "The specified domain either
>> does not exist or could not be contacted"
>>
>> After binding to the VN-SRV-DC01.corp.isacorp.com domain in ldp.exe, I
>> can do a search for cn=gdurzi successfully by using a Base DN of:
>> CN=Users,DC=corp,DC=isacorp,DC=com
>>
>> ***Searching...
>> ldap_search_s(ld, "CN=Users,DC=corp,DC=isacorp,DC=com", 1, "CN=gdurzi",
>> attrList, 0, &msg)
>> Result <0>: (null)
>> Matched DNs:
>> Getting 1 entries:>> 4> objectClass: top; person; organizationalPerson; user;>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>> 1> cn: gdurzi;
>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>> 1> name: gdurzi;
>> 1> canonicalName: corp.isacorp.com/Users/gdurzi;
>>
>>
>> If I open the enterprise tree in ldp.exe and find my cn, here's what I
>> get:
>>
>> Expanding base 'CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com'...
>> Result <0>: (null)
>> Matched DNs:
>> Getting 1 entries:>> 4> objectClass: top; person; organizationalPerson; user;>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>> 1> cn: gdurzi;
>> 1> sn: Durzi;
>> 1> givenName: George;
>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>> 1> instanceType: 4;
>> 1> whenCreated: 11/24/2004 22:38:51 US Mountain Standard Time US Mountain
>> Standard Time;
>> 1> whenChanged: 12/16/2004 7:58:12 US Mountain Standard Time US Mountain
>> Standard Time;
>> 1> displayName: George Durzi;
>> 1> uSNCreated: 8471;
>> 2> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>> 1> uSNChanged: 349743;
>> 1> name: gdurzi;
>> 1> objectGUID: 2975a92e-fb4b-4141-a0de-482dca83d95b;
>> 1> userAccountControl: 0x10200;
>> 1> badPwdCount: 0;
>> 1> codePage: 0;
>> 1> countryCode: 0;
>> 1> badPasswordTime: <ldp error <0x0>: cannot format time field;
>> 1> lastLogon: <ldp error <0x0>: cannot format time field;
>> 1> logonHours: <ldp: Binary blob>;
>> 1> pwdLastSet: <ldp error <0x0>: cannot format time field;
>> 1> primaryGroupID: 513;
>> 1> userParameters: m: d ;
>> 1> objectSid: S-1-5-21-1561616353-131408304-1539857752-1612;
>> 1> accountExpires: 0;
>> 1> logonCount: 12;
>> 1> sAMAccountName: gdurzi;
>> 1> sAMAccountType: 805306368;
>> 1> userPrincipalName: gdurzi;
>> 1> objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=is acorp,DC=com;
>> 1> msNPAllowDialin: TRUE;
>> -----------
>>
>> You can see that the memberOf property properly pulls the groups my cn is
>> a member of:
>>
>> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>
>>
>> Any idea why my code is error'ing at the call to FindOne?
>>
>
George Durzi Guest
-
Joe Kaplan \(MVP - ADSI\) #4 Re: DirectorySearcher - SearchResult - User Groups
Sounds good. One thing to be careful about is that your code looks like it
tries to parse the CN out of the distinguished name of the group and return
that. Be aware that AD can have duplicate CNs (as long as the objects are
in different containers in the hierarchy), so you can get into a lot of
trouble using that for security decisions. Also, I don't think you code
will handle "," characters that are escaped with a \ in the CN which, could
cause your parsing to fail.
That's another reason I hate that sample from kbase. The security practices
it suggests are not very sound at all.
Joe K.
"George Durzi" <gdurzi@hotmail.com> wrote in message
news:elTzSD54EHA.3596@TK2MSFTNGP12.phx.gbl...> Joe,
> I looked up tokenGroups, and they definitely look like a better way to
> determine group membership. In the meantime, I've gotten my othercode to
> work.
>
> I consolidated the authentication, and the membership checking into the
> same function. Because, as you mentioned, the second search isn't really
> necessary at all.
>
> Here's my function:
>
> public string IsAuthenticatedGetGroups (string Domain, string UserName,
> string Password)
> {
> string sGroups = string.Empty;
> string DomainUserName = string.Concat(Domain, @"\", UserName);
> try
> {
> DirectoryEntry oDE = new DirectoryEntry(
> _path, // LDAP Connect String
> DomainUserName, // User
> Password, // Password
> AuthenticationTypes.Secure); // Authentication Type
>
> Object oNativeObject = oDE.NativeObject;
> DirectorySearcher oDS = new DirectorySearcher(oDE);
>
> oDS.Filter = string.Concat("(&(objectClass=user)(SAMAccountName =",
> UserName, "))");
> oDS.PropertiesToLoad.Add("CN");
> oDS.PropertiesToLoad.Add("memberOf");
>
> SearchResult oSR = oDS.FindOne();
> if (null == oSR)
> return string.Empty;
> else
> {
> if (oSR.Properties["memberOf"] == null)
> return string.Empty;
> else
> {
> int iPropertyCount = oSR.Properties["memberOf"].Count;
> StringBuilder sbGroupNames = new StringBuilder();
>
> string dn;
> int equalsIndex, commaIndex;
>
> for (int i = 0; i < iPropertyCount; i++)
> {
> dn = (string)oSR.Properties["memberOf"][i];
> equalsIndex = dn.IndexOf("=", 1);
> commaIndex = dn.IndexOf(",", 1);
>
> if (-1 == equalsIndex) return string.Empty;
>
> sbGroupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
> equalsIndex) - 1));
> sbGroupNames.Append("|");
> }
> sGroups = sbGroupNames.ToString();
> }
> }
>
> }
> catch (Exception)
> {
> return string.Empty;
> }
> return sGroups;
> }
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:eInuyX44EHA.2608@TK2MSFTNGP10.phx.gbl...>>> You probably want the DN for your search root to be the domain root,
>> which is likely to be:
>> DC=corp,DC=isacorp,DC=com
>>
>> The search below uses the actual user's DN (making the search not really
>> necessary at all), so it would need to be base-level if you were going to
>> do that.
>>
>> That said, I don't recommend the approach suggested by that article for
>> getting group membership. I think you should consider using tokenGroups
>> instead to discover security group membership. If you do some Google
>> groups searches on tokenGroups, you should see some samples.
>>
>> Joe K.
>>
>> "George Durzi" <gdurzi@hotmail.com> wrote in message
>> news:OVaffC44EHA.1596@tk2msftngp13.phx.gbl...>>>>> Hi,
>>> I'm having trouble fetching the AD groups a user belongs to after
>>> authenticating them against Active Directory. My code is based on the
>>> How To for using Forms Authentication to authenticate against AD
>>> ([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url])
>>>
>>> LDAP ConnectString:
>>> LDAP://VN-SRV-DC01.corp.isacorp.com/DC=corp,DC=isacorp,DC=com
>>> Domain Name: VN-SRV-DC01.corp.isacorp.com
>>>
>>> Initially, when I use the DirectorySearcher to find cn=gdurzi, the path
>>> of the results is:
>>> LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>>
>>> My code does the following to get the users groups does the following:
>>>
>>> DirectorySearcher oDS = new
>>> DirectorySearcher("LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com");
>>> oDS.Filter ="(cn=gdurzi)";
>>> oDS.PropertiesToLoad.Add("memberOf");
>>> try {
>>> SearchResult oSR = oDS.FindOne();
>>>
>>> I get an Exception on the call to FindOne. "The specified domain either
>>> does not exist or could not be contacted"
>>>
>>> After binding to the VN-SRV-DC01.corp.isacorp.com domain in ldp.exe, I
>>> can do a search for cn=gdurzi successfully by using a Base DN of:
>>> CN=Users,DC=corp,DC=isacorp,DC=com
>>>
>>> ***Searching...
>>> ldap_search_s(ld, "CN=Users,DC=corp,DC=isacorp,DC=com", 1, "CN=gdurzi",
>>> attrList, 0, &msg)
>>> Result <0>: (null)
>>> Matched DNs:
>>> Getting 1 entries:
>>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>> 4> objectClass: top; person; organizationalPerson; user;
>>> 1> cn: gdurzi;
>>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>>> 1> name: gdurzi;
>>> 1> canonicalName: corp.isacorp.com/Users/gdurzi;
>>>
>>>
>>> If I open the enterprise tree in ldp.exe and find my cn, here's what I
>>> get:
>>>
>>> Expanding base 'CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com'...
>>> Result <0>: (null)
>>> Matched DNs:
>>> Getting 1 entries:
>>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>> 4> objectClass: top; person; organizationalPerson; user;
>>> 1> cn: gdurzi;
>>> 1> sn: Durzi;
>>> 1> givenName: George;
>>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>>> 1> instanceType: 4;
>>> 1> whenCreated: 11/24/2004 22:38:51 US Mountain Standard Time US
>>> Mountain Standard Time;
>>> 1> whenChanged: 12/16/2004 7:58:12 US Mountain Standard Time US Mountain
>>> Standard Time;
>>> 1> displayName: George Durzi;
>>> 1> uSNCreated: 8471;
>>> 2> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
>>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>> 1> uSNChanged: 349743;
>>> 1> name: gdurzi;
>>> 1> objectGUID: 2975a92e-fb4b-4141-a0de-482dca83d95b;
>>> 1> userAccountControl: 0x10200;
>>> 1> badPwdCount: 0;
>>> 1> codePage: 0;
>>> 1> countryCode: 0;
>>> 1> badPasswordTime: <ldp error <0x0>: cannot format time field;
>>> 1> lastLogon: <ldp error <0x0>: cannot format time field;
>>> 1> logonHours: <ldp: Binary blob>;
>>> 1> pwdLastSet: <ldp error <0x0>: cannot format time field;
>>> 1> primaryGroupID: 513;
>>> 1> userParameters: m: d ;
>>> 1> objectSid: S-1-5-21-1561616353-131408304-1539857752-1612;
>>> 1> accountExpires: 0;
>>> 1> logonCount: 12;
>>> 1> sAMAccountName: gdurzi;
>>> 1> sAMAccountType: 805306368;
>>> 1> userPrincipalName: gdurzi;
>>> 1> objectCategory:
>>> CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=is acorp,DC=com;
>>> 1> msNPAllowDialin: TRUE;
>>> -----------
>>>
>>> You can see that the memberOf property properly pulls the groups my cn
>>> is a member of:
>>>
>>> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
>>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>>
>>>
>>> Any idea why my code is error'ing at the call to FindOne?
>>>
>>
>
Joe Kaplan \(MVP - ADSI\) Guest
-
George Durzi #5 Re: DirectorySearcher - SearchResult - User Groups
Thanks for all the tips and help Joe. I'll definitely incorporate those
suggestions to close those gaps in the code.
Thank You
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23Pdssf64EHA.3648@TK2MSFTNGP11.phx.gbl...> Sounds good. One thing to be careful about is that your code looks like
> it tries to parse the CN out of the distinguished name of the group and
> return that. Be aware that AD can have duplicate CNs (as long as the
> objects are in different containers in the hierarchy), so you can get into
> a lot of trouble using that for security decisions. Also, I don't think
> you code will handle "," characters that are escaped with a \ in the CN
> which, could cause your parsing to fail.
>
> That's another reason I hate that sample from kbase. The security
> practices it suggests are not very sound at all.
>
> Joe K.
>
> "George Durzi" <gdurzi@hotmail.com> wrote in message
> news:elTzSD54EHA.3596@TK2MSFTNGP12.phx.gbl...>>> Joe,
>> I looked up tokenGroups, and they definitely look like a better way to
>> determine group membership. In the meantime, I've gotten my othercode to
>> work.
>>
>> I consolidated the authentication, and the membership checking into the
>> same function. Because, as you mentioned, the second search isn't really
>> necessary at all.
>>
>> Here's my function:
>>
>> public string IsAuthenticatedGetGroups (string Domain, string UserName,
>> string Password)
>> {
>> string sGroups = string.Empty;
>> string DomainUserName = string.Concat(Domain, @"\", UserName);
>> try
>> {
>> DirectoryEntry oDE = new DirectoryEntry(
>> _path, // LDAP Connect String
>> DomainUserName, // User
>> Password, // Password
>> AuthenticationTypes.Secure); // Authentication Type
>>
>> Object oNativeObject = oDE.NativeObject;
>> DirectorySearcher oDS = new DirectorySearcher(oDE);
>>
>> oDS.Filter = string.Concat("(&(objectClass=user)(SAMAccountName =",
>> UserName, "))");
>> oDS.PropertiesToLoad.Add("CN");
>> oDS.PropertiesToLoad.Add("memberOf");
>>
>> SearchResult oSR = oDS.FindOne();
>> if (null == oSR)
>> return string.Empty;
>> else
>> {
>> if (oSR.Properties["memberOf"] == null)
>> return string.Empty;
>> else
>> {
>> int iPropertyCount = oSR.Properties["memberOf"].Count;
>> StringBuilder sbGroupNames = new StringBuilder();
>>
>> string dn;
>> int equalsIndex, commaIndex;
>>
>> for (int i = 0; i < iPropertyCount; i++)
>> {
>> dn = (string)oSR.Properties["memberOf"][i];
>> equalsIndex = dn.IndexOf("=", 1);
>> commaIndex = dn.IndexOf(",", 1);
>>
>> if (-1 == equalsIndex) return string.Empty;
>>
>> sbGroupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
>> equalsIndex) - 1));
>> sbGroupNames.Append("|");
>> }
>> sGroups = sbGroupNames.ToString();
>> }
>> }
>>
>> }
>> catch (Exception)
>> {
>> return string.Empty;
>> }
>> return sGroups;
>> }
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:eInuyX44EHA.2608@TK2MSFTNGP10.phx.gbl...>>>>> You probably want the DN for your search root to be the domain root,
>>> which is likely to be:
>>> DC=corp,DC=isacorp,DC=com
>>>
>>> The search below uses the actual user's DN (making the search not really
>>> necessary at all), so it would need to be base-level if you were going
>>> to do that.
>>>
>>> That said, I don't recommend the approach suggested by that article for
>>> getting group membership. I think you should consider using tokenGroups
>>> instead to discover security group membership. If you do some Google
>>> groups searches on tokenGroups, you should see some samples.
>>>
>>> Joe K.
>>>
>>> "George Durzi" <gdurzi@hotmail.com> wrote in message
>>> news:OVaffC44EHA.1596@tk2msftngp13.phx.gbl...
>>>> Hi,
>>>> I'm having trouble fetching the AD groups a user belongs to after
>>>> authenticating them against Active Directory. My code is based on the
>>>> How To for using Forms Authentication to authenticate against AD
>>>> ([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url])
>>>>
>>>> LDAP ConnectString:
>>>> LDAP://VN-SRV-DC01.corp.isacorp.com/DC=corp,DC=isacorp,DC=com
>>>> Domain Name: VN-SRV-DC01.corp.isacorp.com
>>>>
>>>> Initially, when I use the DirectorySearcher to find cn=gdurzi, the path
>>>> of the results is:
>>>> LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>>>
>>>> My code does the following to get the users groups does the following:
>>>>
>>>> DirectorySearcher oDS = new
>>>> DirectorySearcher("LDAP://VN-SRV-DC01.corp.isacorp.com/CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com");
>>>> oDS.Filter ="(cn=gdurzi)";
>>>> oDS.PropertiesToLoad.Add("memberOf");
>>>> try {
>>>> SearchResult oSR = oDS.FindOne();
>>>>
>>>> I get an Exception on the call to FindOne. "The specified domain either
>>>> does not exist or could not be contacted"
>>>>
>>>> After binding to the VN-SRV-DC01.corp.isacorp.com domain in ldp.exe, I
>>>> can do a search for cn=gdurzi successfully by using a Base DN of:
>>>> CN=Users,DC=corp,DC=isacorp,DC=com
>>>>
>>>> ***Searching...
>>>> ldap_search_s(ld, "CN=Users,DC=corp,DC=isacorp,DC=com", 1, "CN=gdurzi",
>>>> attrList, 0, &msg)
>>>> Result <0>: (null)
>>>> Matched DNs:
>>>> Getting 1 entries:
>>>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>>> 4> objectClass: top; person; organizationalPerson; user;
>>>> 1> cn: gdurzi;
>>>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>>>> 1> name: gdurzi;
>>>> 1> canonicalName: corp.isacorp.com/Users/gdurzi;
>>>>
>>>>
>>>> If I open the enterprise tree in ldp.exe and find my cn, here's what I
>>>> get:
>>>>
>>>> Expanding base 'CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com'...
>>>> Result <0>: (null)
>>>> Matched DNs:
>>>> Getting 1 entries:
>>>>>> Dn: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com
>>>> 4> objectClass: top; person; organizationalPerson; user;
>>>> 1> cn: gdurzi;
>>>> 1> sn: Durzi;
>>>> 1> givenName: George;
>>>> 1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=isacorp,DC=com;
>>>> 1> instanceType: 4;
>>>> 1> whenCreated: 11/24/2004 22:38:51 US Mountain Standard Time US
>>>> Mountain Standard Time;
>>>> 1> whenChanged: 12/16/2004 7:58:12 US Mountain Standard Time US
>>>> Mountain Standard Time;
>>>> 1> displayName: George Durzi;
>>>> 1> uSNCreated: 8471;
>>>> 2> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
>>>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>>> 1> uSNChanged: 349743;
>>>> 1> name: gdurzi;
>>>> 1> objectGUID: 2975a92e-fb4b-4141-a0de-482dca83d95b;
>>>> 1> userAccountControl: 0x10200;
>>>> 1> badPwdCount: 0;
>>>> 1> codePage: 0;
>>>> 1> countryCode: 0;
>>>> 1> badPasswordTime: <ldp error <0x0>: cannot format time field;
>>>> 1> lastLogon: <ldp error <0x0>: cannot format time field;
>>>> 1> logonHours: <ldp: Binary blob>;
>>>> 1> pwdLastSet: <ldp error <0x0>: cannot format time field;
>>>> 1> primaryGroupID: 513;
>>>> 1> userParameters: m: d ;
>>>> 1> objectSid: S-1-5-21-1561616353-131408304-1539857752-1612;
>>>> 1> accountExpires: 0;
>>>> 1> logonCount: 12;
>>>> 1> sAMAccountName: gdurzi;
>>>> 1> sAMAccountType: 805306368;
>>>> 1> userPrincipalName: gdurzi;
>>>> 1> objectCategory:
>>>> CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=is acorp,DC=com;
>>>> 1> msNPAllowDialin: TRUE;
>>>> -----------
>>>>
>>>> You can see that the memberOf property properly pulls the groups my cn
>>>> is a member of:
>>>>
>>>> memberOf: CN=FrameworkAdmins,CN=Users,DC=corp,DC=isacorp,DC= com;
>>>> CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=isacorp,DC=com;
>>>>
>>>>
>>>> Any idea why my code is error'ing at the call to FindOne?
>>>>
>>>
>>>
>>
>
George Durzi Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
