Solved

LDAP Not all users returning Memberof information Asp.Net

Posted on 2008-10-23
10
3,336 Views
Last Modified: 2013-12-24
I am using asp.net 2.0 with C#.  I am authenticating users against LDAP and that is working fine.  Once they are authenticated, I want to pull more information from LDAP, however, I have noticed that not all users will return information such as memberof.  I am however able to get the displayName.  I have the LDAP connection string in the web.config file, and I created a special user account that I use to query LDAP.  Below is the code that I am using.  For some reason not all users will return memberof information.
Please see the attached code snippet.

With the code, the display name is set regardless of the user, the memberOf will only set on certin users. I have looked through my LDAP directory and I do not see a connection between the users that do not show.  

Any help would be appreciated.  
Thank you.

DirectoryEntry entry = new DirectoryEntry();
 
        DirectorySearcher Dsearch = new DirectorySearcher(entry);
 
        String filterText = "sAMAccountName=" + _userName;
 
        Dsearch.Filter = filterText;
 
        SearchResult sResultSet = Dsearch.FindOne();
 
        if (sResultSet.Properties["displayName"].Count > 0)
        {
            _displayName = sResultSet.Properties["displayName"][0].ToString();
 
            string memberOF = (String)sResultSet.Properties["memberof"][0];
 
        }

Open in new window

0
Comment
Question by:shanemay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22794376

Hey,

If the user is only a member of Domain Users of their Primary Group then memberOf will not return. Primary group membership is evaluated outside of memberOf / member.

Chris
0
 

Author Comment

by:shanemay
ID: 22795669
Thank you for the response.  Based on your comments, I added the following code to see if I could pull any other LDAP data from member.  Please see the attached code.  For some reason the only information being pulled on certain users is the "displayName" property.  The code works because I always get a displayName.  For some user I get most of the information, for some users I get nothing.  Again, thank you, any help would be greatly appreciated.  


names[0] = "Given Name = " + sResultSet.Properties["givenName"][0].ToString();
            names[1] = "initials = " + sResultSet.Properties["initials"][0].ToString();
            names[2] = "sn = " + sResultSet.Properties["sn"][0].ToString();
            names[3] = "homemdb = " + sResultSet.Properties["homemdb"][0].ToString();
            names[4] = "countrycode = " + sResultSet.Properties["countrycode"][0].ToString();
            names[5] = "cn = " + sResultSet.Properties["cn"][0].ToString();
            names[6] = "msexchuseraccountcontrol = " + sResultSet.Properties["msexchuseraccountcontrol"][0].ToString();
            names[7] = "mailnickname = " + sResultSet.Properties["mailnickname"][0].ToString();
            names[8] = "msexchhomeservername = " + sResultSet.Properties["msexchhomeservername"][0].ToString();
            names[9] = "msexchhidefromaddresslists = " + sResultSet.Properties["msexchhidefromaddresslists"][0].ToString();
            names[10] = "msexchalobjectversion = " + sResultSet.Properties["msexchalobjectversion"][0].ToString();
            names[11] = "usncreated = " + sResultSet.Properties["usncreated"][0].ToString();
            names[12] = "objectguid = " + sResultSet.Properties["objectguid"][0].ToString();
            names[13] = "msexchrequireauthtosendto = " + sResultSet.Properties["msexchrequireauthtosendto"][0].ToString();
            names[14] = "whenchanged = " + sResultSet.Properties["whenchanged"][0].ToString();
            names[15] = "memberof = " + sResultSet.Properties["memberof"][0].ToString();
            names[16] = "accountexpires = " + sResultSet.Properties["accountexpires"][0].ToString();
            names[17] = "displayname = " + sResultSet.Properties["displayname"][0].ToString();
            names[18] = "primarygroupid = " + sResultSet.Properties["primarygroupid"][0].ToString();
            names[19] = "badpwdcount = " + sResultSet.Properties["badpwdcount"][0].ToString();
            names[20] = "objectclass = " + sResultSet.Properties["objectclass"][0].ToString();
            names[21] = "instancetype = " + sResultSet.Properties["instancetype"][0].ToString();
            names[22] = "msmqdigests = " + sResultSet.Properties["msmqdigests"][0].ToString();
            names[23] = "objectcategory = " + sResultSet.Properties["objectcategory"][0].ToString();
            names[24] = "samaccounttype = " + sResultSet.Properties["samaccounttype"][0].ToString();
            names[25] = "whencreated = " + sResultSet.Properties["whencreated"][0].ToString();
            names[26] = "lastlogon = " + sResultSet.Properties["lastlogon"][0].ToString();
            names[27] = "useraccountcontrol = " + sResultSet.Properties["useraccountcontrol"][0].ToString();
            names[28] = "msmqsigncertificates = " + sResultSet.Properties["msmqsigncertificates"][0].ToString();
            names[29] = "samaccountname = " + sResultSet.Properties["samaccountname"][0].ToString();
            names[30] = "userparameters = " + sResultSet.Properties["userparameters"][0].ToString();
            names[31] = "mail = " + sResultSet.Properties["mail"][0].ToString();
            names[32] = "msexchmailboxsecuritydescriptor = " + sResultSet.Properties["msexchmailboxsecuritydescriptor"][0].ToString();
            names[33] = "adspath = " + sResultSet.Properties["adspath"][0].ToString();
            names[34] = "lockouttime = " + sResultSet.Properties["lockouttime"][0].ToString();
            names[35] = "homemta = " + sResultSet.Properties["homemta"][0].ToString();
            names[36] = "description = " + sResultSet.Properties["description"][0].ToString();
            names[37] = "msexchmailboxguid = " + sResultSet.Properties["msexchmailboxguid"][0].ToString();
            names[38] = "pwdlastset = " + sResultSet.Properties["pwdlastset"][0].ToString();
            names[39] = "logoncount = " + sResultSet.Properties["logoncount"][0].ToString();
            names[40] = "codepage = " + sResultSet.Properties["codepage"][0].ToString();
            names[41] = "name = " + sResultSet.Properties["name"][0].ToString();
            names[42] = "usnchanged = " + sResultSet.Properties["usnchanged"][0].ToString();
            names[43] = "legacyexchangedn = " + sResultSet.Properties["legacyexchangedn"][0].ToString();
            names[44] = "proxyaddresses = " + sResultSet.Properties["proxyaddresses"][0].ToString();
            names[45] = "userprincipalname = " + sResultSet.Properties["userprincipalname"][0].ToString();
            names[46] = "admincount = " + sResultSet.Properties["admincount"][0].ToString();
            names[47] = "badpasswordtime = " + sResultSet.Properties["badpasswordtime"][0].ToString();
            names[48] = "objectsid = " + sResultSet.Properties["objectsid"][0].ToString();
            names[49] = "msexchpoliciesincluded = " + sResultSet.Properties["msexchpoliciesincluded"][0].ToString();
            names[50] = "mdbusedefaults = " + sResultSet.Properties["mdbusedefaults"][0].ToString();
            names[51] = "distinguishedname = " + sResultSet.Properties["distinguishedname"][0].ToString();
            names[52] = "showinaddressbook = " + sResultSet.Properties["showinaddressbook"][0].ToString();
            names[53] = "givenname = " + sResultSet.Properties["givenname"][0].ToString();
            names[54] = "textencodedoraddress = " + sResultSet.Properties["textencodedoraddress"][0].ToString();
            names[55] = "lastlogontimestamp = " + sResultSet.Properties["lastlogontimestamp"][0].ToString(); 

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22795783
I'd have to guess it was how you were attempting to return / display the values that's at fault. Reading them in like that should work, although some will be pretty useless.  If I use the method above and simply write the response to a Label it works.

For memberOf, it's an array, so you'd have to loop through each value rather than just the first index.

Chris
0
Get Database Help Now w/ Support & Database Audit

Keeping your database environment tuned, optimized and high-performance is key to achieving business goals. If your database goes down, so does your business. Percona experts have a long history of helping enterprises ensure their databases are running smoothly.

 

Author Comment

by:shanemay
ID: 22796453
Thank you again for the reply.  Below is the code that I use to display the information.  I agree. It should work, and it does for some users.  For others I get nothing.  I feel that it is a permission issue, but I am not sure were to begin.  I used the generic label names for testing just to see what it would return.  Do you think it could have to do with the account the manages the asp.net worker thread?  I am really at a loss.  
         lblDisplayName.Text = _displayName;
 
        _fullUserName = DOMAIN_PREFIX + _userName;
 
        lblGroupName.Text = _groupName;
        lblLDAPMember.Text = _LDAPMembership;
 
        DateTime myDate = new DateTime();
 
        myDate = DateTime.Now;
 
        lblDate.Text = myDate.ToLongDateString();
 
        Label1.Text = names[0];
        Label2.Text = names[1];
        Label3.Text = names[2];
        Label4.Text = names[3];
        Label5.Text = names[4];
        Label6.Text = names[5];
        Label7.Text = names[6];
        Label8.Text = names[7];
        Label9.Text = names[8];
        Label10.Text = names[9];
        Label11.Text = names[10];
        Label12.Text = names[11];
        Label13.Text = names[12];
        Label14.Text = names[13];
        Label15.Text = names[14];
        Label16.Text = names[15];
        Label17.Text = names[16];
        Label18.Text = names[17];
        Label19.Text = names[18];
        Label20.Text = names[19];

Open in new window

0
 
LVL 4

Accepted Solution

by:
anipeddi earned 300 total points
ID: 22798542
In my past project i had faced this issue and i did solve it.
Are you using windows authentication, if so turn on impersonation in your application,
steps to do this
1)have user credentials who has admin access on Active Directory
2)Go to your web.config file, Turn on impersonation, specify username and password(you could encrypt the user credentials)
  for example
                                           <authentication mode="Windows"/>
            <identity impersonate="true" userName="xxxx" password="xxxx"/>

0
 

Author Comment

by:shanemay
ID: 22798617
Thank you for the reply, when you suggest that the user have admin access on Active Directory, do you mean the user should have admin access to the server.  I am running windows Server 2003.  Also, I am using windows authentication.  I created a log in page that authenticates against my LDAP.  I will make the changes on Monday and reply back.  Again, thank you for the suggestion.
0
 
LVL 4

Expert Comment

by:anipeddi
ID: 22798954
I think initially you should understand the concept of impersonation. Pls read this article
http://www.c-sharpcorner.com/UploadFile/manishkdwivedi/impersonation10092007065217AM/impersonation.aspx
http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx


The user who uses the application does not need to have Admin rights on the Server.
but the problem is with out having admin rights he can not see the memberof() information So,
Use your login screen to authenticate the user, and turn on impersonation.
when you turn on the impersonation No matter who logged in to the application, just uses the user credentials what you have specified in the impersonation node to hit the Active directory.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22802378

> but the problem is with out having admin rights he can not see the memberof() information So

Yes he can.

All attributes are have authenticated users Read unless that has been explicitly removed on the directory level.

Web Applications do not need to run as Administrator to read the directory.

Chris
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 200 total points
ID: 22804616
memberOf doesn't return primary group membership.
To get that information, you nead to compare the group's PrimaryGroupToken with the user's PrimaryGroupId.
Collect a recordset with the groups and when accessing the user, apply a filter on the group-recordset to find the matching primary group.
rsGroup.Filter="(PrimaryGroupToken="+sResultSet.Properties("primaryGroupId")+")"
0
 

Author Closing Comment

by:shanemay
ID: 31509348
Thank you your help.  This worked out perfectly.  Again, thank you.  
0

Featured Post

Get Database Help Now w/ Support & Database Audit

Keeping your database environment tuned, optimized and high-performance is key to achieving business goals. If your database goes down, so does your business. Percona experts have a long history of helping enterprises ensure their databases are running smoothly.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Recently I was talking with Tim Sharp, one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. While doing some quick training with some of the Percona team, Tim brought something to my attention...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question