tgiadmin
asked on
LDAP Not all users returning Memberof information
Hello,
I have an issue thats been rattling my brain for the last few days and I've yet to find a definitive answer or solution. I'm using Windows SBS Server 2003.
I'm querying the Active Directory for memberof information for various users and eventually setting a variable based off the resulting information. The problem I'm running into is that for some users, memberof is coming back null. This is not happening for all users though...and this includes members that contain the exact same memberof information. The groups that the users belong to are not nested and I cannot seem to find any difference between the accounts in the active directory, yet the code seems to work just fine...so i think it may be a permissions issue with some accounts? I'm really not sure!
I have an issue thats been rattling my brain for the last few days and I've yet to find a definitive answer or solution. I'm using Windows SBS Server 2003.
I'm querying the Active Directory for memberof information for various users and eventually setting a variable based off the resulting information. The problem I'm running into is that for some users, memberof is coming back null. This is not happening for all users though...and this includes members that contain the exact same memberof information. The groups that the users belong to are not nested and I cannot seem to find any difference between the accounts in the active directory, yet the code seems to work just fine...so i think it may be a permissions issue with some accounts? I'm really not sure!
<%
username = request.form("username")
password = request.form("password")
Mode = 0
Set condb = Server.CreateObject("ADODB.connection")
condb.Provider = "ADsDSOObject"
condb.Open "Active Directory Provider"
Set rslog = Server.CreateObject("ADODB.Recordset")
rsselect = "SELECT sAMAccountName, Memberof, displayname FROM 'LDAP://OU=SBSUsers,OU=Users,OU=MyBusiness,DC=learn,DC=local' WHERE sAMAccountName = '" & username & "'"
rslog.Open rsselect, condb
If not rslog.eof then
ADMember = rslog("memberOf")
DisplayName = rslog("DisplayName")
If Not IsNull(ADMember) Then
ADString = CStr(ADMember(LBound(ADMember)))
For ADVariable = LBound(ADMember)+1 To UBound(ADMember)
ADString = ADString & "," & CStr(ADMember(ADVariable))
Next
End if
If InStr(ADString, "learn event editors") <> 0 Then
Mode = 1
End If
If InStr(ADString, "learn web editors") <> 0 Then
Mode = 2
End If
If InStr(ADString, "tgi faculty") <> 0 Then
Mode = 3
End If
Else
*redirect to undetermined error page
End if
result = AuthenticateUser(username, password)
If (result <> 1) then
*redirect to undetermined error page
End If
function AuthenticateUser(username, password)
AuthenticateUser = 0
rsselect2 = "SELECT cn FROM 'LDAP://OU=SBSUsers,OU=Users,OU=MyBusiness,DC=learn,DC=local'"
set condb2 = Server.CreateObject("ADODB.Connection")
condb2.Provider = "ADsDSOOBJECT"
condb2.Properties("User ID") = username
condb2.Properties("Password") = password
condb2.Properties("Encrypt Password") = true
condb2.open "DS Query", username, password
set cmd = server.CreateObject("ADODB.Command")
set cmd.ActiveConnection = condb2
cmd.CommandText = rsselect2
on error resume next
set rslog2 = cmd.Execute
if (rslog2.bof or rslog2.eof) then
AuthenticateUser = 0
else
AuthenticateUser = 1
end if
set rslog2 = nothing
set condb2 = nothing
end function
validkey = now()
Response.Cookies("user").Expires = Date + 1
Response.Cookies("user").Domain = "dev.learn.edu"
Response.Cookies("user")("Mode") = mode
Response.Cookies("user")("DisplayName") = DisplayName
*redirect to undetermined login success page
%>
do any of the usernames have apostrophes in them?? all in same domain??
ASKER
Hey Novo,
No, none of the usernames have apostrophes. They are all within the same domain. Another odd thing is that I can pull back other information from the user such as DisplayName...etc. So it is finding the sAMAccountName without any trouble, yet for these certain members it will not pull back the memberof information...and for others it will. I've been doing alot of comparisons and I can't seem to locate any difference between working and non-working accounts.
-Brian
No, none of the usernames have apostrophes. They are all within the same domain. Another odd thing is that I can pull back other information from the user such as DisplayName...etc. So it is finding the sAMAccountName without any trouble, yet for these certain members it will not pull back the memberof information...and for others it will. I've been doing alot of comparisons and I can't seem to locate any difference between working and non-working accounts.
-Brian
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hey Novo,
Haven't tried running it as an admin account yet just because of the fact that for some users it actually is working. But you did mention having funny issues with it...so I'll have to give it a shot when I'm in the office Monday and I'll get back to you. I do have code to impersonate a user that I wrote some vb stuff for, I'll have to try that. Also, I did enter bogus user information and it comes back as bad user or password (where you see *redirect to undetermined error page I had just some temporary response.writes) so I know that it is checking user/pass properly. Thanks for the tips, I'll try the admin thing Monday.
-Brian
Haven't tried running it as an admin account yet just because of the fact that for some users it actually is working. But you did mention having funny issues with it...so I'll have to give it a shot when I'm in the office Monday and I'll get back to you. I do have code to impersonate a user that I wrote some vb stuff for, I'll have to try that. Also, I did enter bogus user information and it comes back as bad user or password (where you see *redirect to undetermined error page I had just some temporary response.writes) so I know that it is checking user/pass properly. Thanks for the tips, I'll try the admin thing Monday.
-Brian
ASKER
Hey Novo,
Just wanted to let you know it is now working. The admin idea worked, thank you!
For anyone else that is having the same problem...the following code is an impersonate user script that calls a registered vb activex dll that I made located in "c:\windir\system32" You can find information on making this dll if you goto google and search for: LoginAdmin.ImpersonateUser
I wrapped all my existing LDAP code with this:
Set objLogon = Server.CreateObject("Login Admin.Impe rsonateUse r")
objLogon.Logon "admin username goes here", "admin password goes here", "domainname"
"Existing Code"
objLogon.Logoff
Set objLogon = Nothing
Just wanted to let you know it is now working. The admin idea worked, thank you!
For anyone else that is having the same problem...the following code is an impersonate user script that calls a registered vb activex dll that I made located in "c:\windir\system32" You can find information on making this dll if you goto google and search for: LoginAdmin.ImpersonateUser
I wrapped all my existing LDAP code with this:
Set objLogon = Server.CreateObject("Login
objLogon.Logon "admin username goes here", "admin password goes here", "domainname"
"Existing Code"
objLogon.Logoff
Set objLogon = Nothing
ASKER
Thanks!
Exactly the code I use and its brilliant!!!
Actually I put the username and password within the DLL so that you dont have to specify it in the asp file.
ASKER
Ahhh, thats a very good idea, I'll have to give that a shot.
Thanks Novo for your assistance!
-Brian
Thanks Novo for your assistance!
-Brian