Solved

LDAP Not all users returning Memberof information Asp.Net

Posted on 2008-10-23
10
3,312 Views
Last Modified: 2013-12-24
I am using asp.net 2.0 with C#.  I am authenticating users against LDAP and that is working fine.  Once they are authenticated, I want to pull more information from LDAP, however, I have noticed that not all users will return information such as memberof.  I am however able to get the displayName.  I have the LDAP connection string in the web.config file, and I created a special user account that I use to query LDAP.  Below is the code that I am using.  For some reason not all users will return memberof information.
Please see the attached code snippet.

With the code, the display name is set regardless of the user, the memberOf will only set on certin users. I have looked through my LDAP directory and I do not see a connection between the users that do not show.  

Any help would be appreciated.  
Thank you.

DirectoryEntry entry = new DirectoryEntry();

 

        DirectorySearcher Dsearch = new DirectorySearcher(entry);

 

        String filterText = "sAMAccountName=" + _userName;

 

        Dsearch.Filter = filterText;

 

        SearchResult sResultSet = Dsearch.FindOne();

 

        if (sResultSet.Properties["displayName"].Count > 0)

        {

            _displayName = sResultSet.Properties["displayName"][0].ToString();

 

            string memberOF = (String)sResultSet.Properties["memberof"][0];

 

        }

Open in new window

0
Comment
Question by:shanemay
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22794376

Hey,

If the user is only a member of Domain Users of their Primary Group then memberOf will not return. Primary group membership is evaluated outside of memberOf / member.

Chris
0
 

Author Comment

by:shanemay
ID: 22795669
Thank you for the response.  Based on your comments, I added the following code to see if I could pull any other LDAP data from member.  Please see the attached code.  For some reason the only information being pulled on certain users is the "displayName" property.  The code works because I always get a displayName.  For some user I get most of the information, for some users I get nothing.  Again, thank you, any help would be greatly appreciated.  


names[0] = "Given Name = " + sResultSet.Properties["givenName"][0].ToString();

            names[1] = "initials = " + sResultSet.Properties["initials"][0].ToString();

            names[2] = "sn = " + sResultSet.Properties["sn"][0].ToString();

            names[3] = "homemdb = " + sResultSet.Properties["homemdb"][0].ToString();

            names[4] = "countrycode = " + sResultSet.Properties["countrycode"][0].ToString();

            names[5] = "cn = " + sResultSet.Properties["cn"][0].ToString();

            names[6] = "msexchuseraccountcontrol = " + sResultSet.Properties["msexchuseraccountcontrol"][0].ToString();

            names[7] = "mailnickname = " + sResultSet.Properties["mailnickname"][0].ToString();

            names[8] = "msexchhomeservername = " + sResultSet.Properties["msexchhomeservername"][0].ToString();

            names[9] = "msexchhidefromaddresslists = " + sResultSet.Properties["msexchhidefromaddresslists"][0].ToString();

            names[10] = "msexchalobjectversion = " + sResultSet.Properties["msexchalobjectversion"][0].ToString();

            names[11] = "usncreated = " + sResultSet.Properties["usncreated"][0].ToString();

            names[12] = "objectguid = " + sResultSet.Properties["objectguid"][0].ToString();

            names[13] = "msexchrequireauthtosendto = " + sResultSet.Properties["msexchrequireauthtosendto"][0].ToString();

            names[14] = "whenchanged = " + sResultSet.Properties["whenchanged"][0].ToString();

            names[15] = "memberof = " + sResultSet.Properties["memberof"][0].ToString();

            names[16] = "accountexpires = " + sResultSet.Properties["accountexpires"][0].ToString();

            names[17] = "displayname = " + sResultSet.Properties["displayname"][0].ToString();

            names[18] = "primarygroupid = " + sResultSet.Properties["primarygroupid"][0].ToString();

            names[19] = "badpwdcount = " + sResultSet.Properties["badpwdcount"][0].ToString();

            names[20] = "objectclass = " + sResultSet.Properties["objectclass"][0].ToString();

            names[21] = "instancetype = " + sResultSet.Properties["instancetype"][0].ToString();

            names[22] = "msmqdigests = " + sResultSet.Properties["msmqdigests"][0].ToString();

            names[23] = "objectcategory = " + sResultSet.Properties["objectcategory"][0].ToString();

            names[24] = "samaccounttype = " + sResultSet.Properties["samaccounttype"][0].ToString();

            names[25] = "whencreated = " + sResultSet.Properties["whencreated"][0].ToString();

            names[26] = "lastlogon = " + sResultSet.Properties["lastlogon"][0].ToString();

            names[27] = "useraccountcontrol = " + sResultSet.Properties["useraccountcontrol"][0].ToString();

            names[28] = "msmqsigncertificates = " + sResultSet.Properties["msmqsigncertificates"][0].ToString();

            names[29] = "samaccountname = " + sResultSet.Properties["samaccountname"][0].ToString();

            names[30] = "userparameters = " + sResultSet.Properties["userparameters"][0].ToString();

            names[31] = "mail = " + sResultSet.Properties["mail"][0].ToString();

            names[32] = "msexchmailboxsecuritydescriptor = " + sResultSet.Properties["msexchmailboxsecuritydescriptor"][0].ToString();

            names[33] = "adspath = " + sResultSet.Properties["adspath"][0].ToString();

            names[34] = "lockouttime = " + sResultSet.Properties["lockouttime"][0].ToString();

            names[35] = "homemta = " + sResultSet.Properties["homemta"][0].ToString();

            names[36] = "description = " + sResultSet.Properties["description"][0].ToString();

            names[37] = "msexchmailboxguid = " + sResultSet.Properties["msexchmailboxguid"][0].ToString();

            names[38] = "pwdlastset = " + sResultSet.Properties["pwdlastset"][0].ToString();

            names[39] = "logoncount = " + sResultSet.Properties["logoncount"][0].ToString();

            names[40] = "codepage = " + sResultSet.Properties["codepage"][0].ToString();

            names[41] = "name = " + sResultSet.Properties["name"][0].ToString();

            names[42] = "usnchanged = " + sResultSet.Properties["usnchanged"][0].ToString();

            names[43] = "legacyexchangedn = " + sResultSet.Properties["legacyexchangedn"][0].ToString();

            names[44] = "proxyaddresses = " + sResultSet.Properties["proxyaddresses"][0].ToString();

            names[45] = "userprincipalname = " + sResultSet.Properties["userprincipalname"][0].ToString();

            names[46] = "admincount = " + sResultSet.Properties["admincount"][0].ToString();

            names[47] = "badpasswordtime = " + sResultSet.Properties["badpasswordtime"][0].ToString();

            names[48] = "objectsid = " + sResultSet.Properties["objectsid"][0].ToString();

            names[49] = "msexchpoliciesincluded = " + sResultSet.Properties["msexchpoliciesincluded"][0].ToString();

            names[50] = "mdbusedefaults = " + sResultSet.Properties["mdbusedefaults"][0].ToString();

            names[51] = "distinguishedname = " + sResultSet.Properties["distinguishedname"][0].ToString();

            names[52] = "showinaddressbook = " + sResultSet.Properties["showinaddressbook"][0].ToString();

            names[53] = "givenname = " + sResultSet.Properties["givenname"][0].ToString();

            names[54] = "textencodedoraddress = " + sResultSet.Properties["textencodedoraddress"][0].ToString();

            names[55] = "lastlogontimestamp = " + sResultSet.Properties["lastlogontimestamp"][0].ToString(); 

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22795783
I'd have to guess it was how you were attempting to return / display the values that's at fault. Reading them in like that should work, although some will be pretty useless.  If I use the method above and simply write the response to a Label it works.

For memberOf, it's an array, so you'd have to loop through each value rather than just the first index.

Chris
0
 

Author Comment

by:shanemay
ID: 22796453
Thank you again for the reply.  Below is the code that I use to display the information.  I agree. It should work, and it does for some users.  For others I get nothing.  I feel that it is a permission issue, but I am not sure were to begin.  I used the generic label names for testing just to see what it would return.  Do you think it could have to do with the account the manages the asp.net worker thread?  I am really at a loss.  
         lblDisplayName.Text = _displayName;
 

        _fullUserName = DOMAIN_PREFIX + _userName;
 

        lblGroupName.Text = _groupName;

        lblLDAPMember.Text = _LDAPMembership;

 

        DateTime myDate = new DateTime();
 

        myDate = DateTime.Now;
 

        lblDate.Text = myDate.ToLongDateString();
 

        Label1.Text = names[0];

        Label2.Text = names[1];

        Label3.Text = names[2];

        Label4.Text = names[3];

        Label5.Text = names[4];

        Label6.Text = names[5];

        Label7.Text = names[6];

        Label8.Text = names[7];

        Label9.Text = names[8];

        Label10.Text = names[9];

        Label11.Text = names[10];

        Label12.Text = names[11];

        Label13.Text = names[12];

        Label14.Text = names[13];

        Label15.Text = names[14];

        Label16.Text = names[15];

        Label17.Text = names[16];

        Label18.Text = names[17];

        Label19.Text = names[18];

        Label20.Text = names[19];

Open in new window

0
 
LVL 4

Accepted Solution

by:
anipeddi earned 300 total points
ID: 22798542
In my past project i had faced this issue and i did solve it.
Are you using windows authentication, if so turn on impersonation in your application,
steps to do this
1)have user credentials who has admin access on Active Directory
2)Go to your web.config file, Turn on impersonation, specify username and password(you could encrypt the user credentials)
  for example
                                           <authentication mode="Windows"/>
            <identity impersonate="true" userName="xxxx" password="xxxx"/>

0
 

Author Comment

by:shanemay
ID: 22798617
Thank you for the reply, when you suggest that the user have admin access on Active Directory, do you mean the user should have admin access to the server.  I am running windows Server 2003.  Also, I am using windows authentication.  I created a log in page that authenticates against my LDAP.  I will make the changes on Monday and reply back.  Again, thank you for the suggestion.
0
 
LVL 4

Expert Comment

by:anipeddi
ID: 22798954
I think initially you should understand the concept of impersonation. Pls read this article
http://www.c-sharpcorner.com/UploadFile/manishkdwivedi/impersonation10092007065217AM/impersonation.aspx
http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx


The user who uses the application does not need to have Admin rights on the Server.
but the problem is with out having admin rights he can not see the memberof() information So,
Use your login screen to authenticate the user, and turn on impersonation.
when you turn on the impersonation No matter who logged in to the application, just uses the user credentials what you have specified in the impersonation node to hit the Active directory.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22802378

> but the problem is with out having admin rights he can not see the memberof() information So

Yes he can.

All attributes are have authenticated users Read unless that has been explicitly removed on the directory level.

Web Applications do not need to run as Administrator to read the directory.

Chris
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 200 total points
ID: 22804616
memberOf doesn't return primary group membership.
To get that information, you nead to compare the group's PrimaryGroupToken with the user's PrimaryGroupId.
Collect a recordset with the groups and when accessing the user, apply a filter on the group-recordset to find the matching primary group.
rsGroup.Filter="(PrimaryGroupToken="+sResultSet.Properties("primaryGroupId")+")"
0
 

Author Closing Comment

by:shanemay
ID: 31509348
Thank you your help.  This worked out perfectly.  Again, thank you.  
0

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now