Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

LDAP Problem with Memberof information

Posted on 2008-09-30
5
Medium Priority
?
1,104 Views
Last Modified: 2013-12-24
I am developing an asp.net web service which interact with Active Directory(through LDAP) and returns user information.

The web service is working perfect every thing except the memberof information.It is not returning the MemberOf(group name) information for all the users except me,Ie is if query the AD from my system using my UserID it returns my MemberOf info but if use any other person ID it returns all the information except memberOf.I think it is a security issue,I have seen a post in experts-exchange previously,
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23577274.html
 it suggests to use impersonation to solve this problem, but it is an classic asp application, Can any one tell me how to solve my problem in asp.net.

Thanks
[WebMethod]
    public XmlDocument GetADgroupsForPerson(string oParam)
    {
 
        {
            XmlDocument doc = new XmlDocument();
            XmlNode tempMasterNode, tempNode, tempChildNode;
            tempMasterNode = CreateChildNode(doc, "Users", "");
            doc.AppendChild(tempMasterNode);
            //tempNode = CreateChildNode(doc,tempMasterNode,"Person", "");
            // doc.AppendChild(tempNode);
 
            string uId = oParam;
            string displayName;
            string UserID;
            string telephoneNumber = "";
            string mgr = "";
            string dept = "";
            string email = "";
            string ploc = "";
            string title = "";
            string country = "";
            string domain = "";
            string group = "";
            bool isUserID = false;
            bool isTelephone = false;
            bool isName = false;
            int userinput = 0;
 
            //string Path = "LDAP://DC=XX,DC=XXX,DC=com";
           
            System.DirectoryServices.DirectoryEntry objDE = new System.DirectoryServices.DirectoryEntry((Path));
            DirectorySearcher objSearcher = new DirectorySearcher(objDE);
            objSearcher.SearchScope = SearchScope.Subtree;
            objSearcher.PropertiesToLoad.Add("displayName");
            objSearcher.PropertiesToLoad.Add("sAMAccountName");
            objSearcher.PropertiesToLoad.Add("telephoneNumber");
            objSearcher.PropertiesToLoad.Add("manager");
            objSearcher.PropertiesToLoad.Add("departmentNumber");
            objSearcher.PropertiesToLoad.Add("mail");
            objSearcher.PropertiesToLoad.Add("physicalDeliveryOfficeName");
            objSearcher.PropertiesToLoad.Add("Title");
            objSearcher.PropertiesToLoad.Add("co");
            objSearcher.PropertiesToLoad.Add("canonicalName");
            objSearcher.PropertiesToLoad.Add("memberOf");
 
            isUserID = IsAlphaNumeric(oParam);
            isTelephone = IsWholeNumber(oParam);
            isName = IsAlpha(oParam);
            if (isTelephone)
                userinput = 1;
            else
                if (isName)
                    userinput = 2;
                else
                    if (isUserID)
                        userinput = 3;
                    else
                        userinput = 4;
            switch (userinput)
            {
                case 1:
                    //objSearcher.Filter = "(&(objectClass=user)(|(sAMAccountName=" + oParam + "*)(telephoneNumber=" + oParam + "*)))";
                    objSearcher.Filter = "(&(objectClass=user)(telephoneNumber=*" + oParam + "))";
                    break;
                case 2:
                    objSearcher.Filter = "(&(objectClass=user)(|(displayName=" + oParam + "*)(sn=" + oParam + "*)))";
                    break;
                case 3:
 
                    objSearcher.Filter = "(&(objectClass=user)(sAMAccountName=" + oParam + "*))";
                    break;
                case 4:
                    objSearcher.Filter = "(&(objectClass=user)(|(sAMAccountName=" + oParam + "*)(SN=" + oParam + "*)(GivenName=" + oParam + "*)(cn=" + oParam + "*)(telephoneNumber=" + oParam + "*)))";
                    break;
            }
 
 
 
            ///'''''''''''''''''''''''filter'''''''''''''''''''''''''''
            // objSearcher.Filter = "(&(objectClass=user)(|(sAMAccountName=" + oParam + "*)(SN=" + oParam + "*)(GivenName=" + oParam + "*)(cn=" + oParam + "*)(telephoneNumber=" + oParam + "*)))";
 
            ///''''''''''''''''''''''filter'''''''''''''''''''''''''''' 
            try
            {
               foreach (SearchResult objResult in objSearcher.FindAll())
                {
          tempNode = CreateChildNode(doc, tempMasterNode, "Person", "");
 
                    //*************************DisplayName**************
       displayName = objResult.Properties["displayName"][0].ToString();
                    tempChildNode = CreateChildNode(doc, tempNode, "displayName", "");
                    tempChildNode.InnerXml = displayName;
                    //*************************DisplayName**************
                    //*************************UserID************              
 UserID = objResult.Properties["sAMAccountName"][0].ToString();
           tempChildNode = CreateChildNode(doc, tempNode, "userid", "");
                    tempChildNode.InnerXml = UserID;
                    //*************************UserID*******************
                    
                    
                    
                   
             //************************Group****************************
            for(int i=0;i<(objResult.Properties["memberOf"].Count);i++)
                    {
                       if (objResult.Properties["memberOf"].Count > 0)
                       {
                group = objResult.Properties["memberOf"][i].ToString();
                       }
 
           tempChildNode = CreateChildNode(doc, tempNode, "Group", "");
 
                    tempChildNode.InnerXml = group;
                    }
                
 
 
                    //************************Group*********************
                    
 
                                 }
            }
            catch (Exception e)
            {
 
      tempChildNode = CreateChildNode(doc, tempMasterNode, "error", "");
                tempChildNode.InnerXml = e.Message;
            }
            return doc;
        }
    
    
    
    
    }

Open in new window

0
Comment
Question by:anipeddi
  • 3
  • 2
5 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22626955
memberOf doesn't return primary group.
Compare property primaryGroupID for the user with property PrimaryGroupToken for the group to get the primary group information.
0
 
LVL 4

Author Comment

by:anipeddi
ID: 22649777
Can you provide code in C# for the logic you have specified
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 1500 total points
ID: 22671039
Sorry, C# isn't my strong side.
You nead as said to check the primaryGroupID of the user to find out the primary group.
For the user-query, add the following
            objSearcher.PropertiesToLoad.Add("primaryGroupID");

When having the user object, make a new search with a changed LDAP-criteria to find the matching group for extracted primaryGroupID
            objGroupSearcher.Filter="(PrimaryGroupToken="+objSearcher.Properties("primaryGroupID") +")"
0
 
LVL 4

Author Comment

by:anipeddi
ID: 22789768
Thanks for your solution, it works great!
I got an other problem, I need to search AD across multiple domains(entire forest or need to specify 2 or more domains)
 ->currently my query string is
   string Path = "LDAP://DC=MyDomain,DC=MyCompany,DC=com";
Could you help my how to specify multiple domains in the query string.
I tried to put 2 domains in the query like this, but it does not work.
 string Path = "LDAP://DC=MyDomain1,DC=MyDomain2,DC=MyCompany,DC=com";
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22804634
The LDAP-path in the extra OT-question will give you the domain MyDomain1.MyDomain2.MyCompany.com. If you want to access multiple domains, you nead to loop through a list/array of LDAP-domains and make a connection to each of them.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question