CFLDAP & Active Directory

[Christopher Peltier]

Ok, I have done as much web searching as I can handle.....

I am attempting to do a CFLDAP connection to my Domain Controller, so that I
can have a nice web interface to pull back info on my domain users. I can
make the connection, but the results of my query are the from the domains
DNS. I have tried everything that I can thing of to narrow it down to just
AD users, but I cant seem to do it.

I should not need a username/password for this query, I am able to do it in
VB without one. Here is my CF call:

<CFLDAP ACTION="QUERY" ATTRIBUTES="dn,ou,cn" SERVER=#ldapserver#
NAME="LDAP_Query" scope="subtree" START="dc=domainname,dc=com" >

This is the equivilent to the call that I make when I do LDAP calls from
other code languages and they seem to work fine. Any help would be greatly
appreciated.

-Chris

[emerald558]

Are you trying to filter it so that you just get back users? If so, this seems
to work for me.
Try adding cn=users to the start attribute ie:
START="cn=users,dc=domainname,dc=com"

Another approach might be to add the objectClass field to your attributes and
use a cfif statement to display only users.
ATTRIBUTES="dn,ou,cn,objectClass"
Then
<cfif LDAP_Query.ObjectClass CONTAINS "User" AND LDAP_Query.ObjectClass DOES
NOT CONTAIN "Computer">

HTH.

[Christopher Peltier]

The problem is that it never returns the users CN to me. I only get
"MicrosoftDNS" & "WellKnownSecurityPrincipals" back as far as CNs are
concerned. I wish it were as simple as just filtering.

Am I missing a step to make the connection to the Users & Computers section?

Exerpt of what is returned:

>DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain
,DC=com -- a.root-servers.net<

>DC=123,DC=x.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
-- {numeric}<

>CN=Everyone,CN=WellKnown Security
Principals,CN=Configuration,DC=domain,DC=com -- Everyone<

That pretty much summarizes the 200+ records that I get returned.

-Chris

"emerald558" <webfor...@macromedia.com> wrote in message
news:c7rn98$qvd$1...@forums.macromedia.com...

[Michael]

Active Directory, by default, needs an authenticated user. You may have not
specified a username/password combo in VB, but VB is a different environment
than ColdFusion. More than likely, you were logged on to a computer and the VB
app was running in your security context.

AD allows all authenticated users to query the directory.

To do it right, you should create a generic domain account that is used to
access AD from ColdFusion. This account does not need any special permissions
unless you plan on using CD and LDAP to create/modify/delete AD objects. If
that is the case, grant "Account Operators" to the generic account. (Also note
that this account cannot change any accounts that are domain admins or above.)

In the CFLDAP tag, specify the username as USERNAME="ldap...@mydomain.com"

Also, let AD do the work of filtering. You can create some complex filters in
the LDAP FILTER attribute. For example, you can use FILTER="objectClass=user"
to show only user accounts. Unfortunately, this also brings "hidden" computer
user accounts as well. You will notice these have "$" at the end of the
sAMAccountName. (I have a filter that removes these, but I don't have access
to that code right now.)

I'm interested in hearing what you wish to do with the LDAP/AD interface. I
have written quite a few pages that help me audit our AD and some other scripts
that modify/cleanse the objects in AD.

Also, here is another caveat of CFLDAP and AD. If you specify
START="dc=mydomain, dc=com", you MUST specify at least one attribute such as
ATTRIBUTES="dn". You cannot specify ATTRIBUTES="*".

To be able to specify ATTRIBUTES="*", you need to specify an OU in the START
attribute such as START="ou=myOU, dc=mydomain, dc=com". I'm not sure why this
is, but it is.

One more big gotcha is don't specify TIMEOUT in the CFLDAP tag. It has a
nasty bug of returning a random number of objects.

It's very easy to create Exchange 2000 mailbox-enabled accounts in AD. If you
would like to share some code, let me know.

I also created a "user data dump" page that might interest you.

[denverrails]

This does it for me. I am in a subdomain so I allow the user to select a
domain from a hard coded choice of 4. I then pass the form varaible to my
cfldap query. All our DC's are named domain name DC01, 02, etc. If the form
is submitted I cfparam some values and filter out computers. Our AD is limited
to 1,000 records max so I allow for a "next" variable to begin at the 1,000th
record. If the object has user in the list and computers are filtered out it
should be a person. I then change the url to a user page versus cfldaptop.cfm
(this page) to display user specific info. If the object is a OU a link is
created that will start the page at that point and drill down in the OU
(url.startpt). Hope this helps.

<cfif not isdefined("form.dom") and not isdefined("url.startpt") and not
isdefined("url.dom")>
<div align="center">
<form action="cfldaptop.cfm" method="post">
Select a Domain
<select name="dom">
<option value="dfd">DFD</option>
<option value="dpd">DPD</option>
<option value="dsd">DSD</option>
<option value="mos">MOS</option>
</select>
<BR>
<input type="submit" value="Submit">
</form>
</div>
<cfelse>
<cfif isdefined("form.dom")>
<cfparam name="url.startpt" default="dc=#form.dom#,dc=sfty,dc=dnvr">
<cfparam name="url.dom" default="#form.dom#">
<cfelseif isdefined("url.dom")>
<cfparam name="url.startpt" default="dc=#url.dom#,dc=sfty,dc=dnvr">
</cfif>
<cfif isdefined("url.next")>
<cfldap
server = "#url.dom#dc01"
action = "query"
start = "#url.startpt#"
name = "qldap"

filter="(&(!(objectclass=computer)),(!(objectclass=group)),(cn>=#trim(url.next)#
))"
scope="onelevel"
attributes = "dn, dc,displayname,objectclass,cn,employeeid"
username="domain\username"
password="password">
<cfelse>
<cfldap
server = "#url.dom#dc01"
action = "query"
start = "#url.startpt#"
name = "qldap"
filter="(&(!(objectclass=computer)),(!(objectclass=group)))"
scope="onelevel"
attributes = "dn,dc,displayname,objectclass,cn,employeeid"
username="domain\usernamez"
password="password">
</cfif>

<p></p>
<A href="cfldaptop.cfm">SELECT A DIFFERENT DOMAIN</A><BR>
<table style="font-family:Arial, Helvetica, sans-serif; font-size:10px; ">
<tr style="background-color:#666666; color:#FFFFFF; font-weight:bold; ">
<td colspan="5"><cfoutput>#url.startpt# #qldap.recordcount# Records
found</cfoutput></td>
</tr>
<tr style="background-color:#666666; color:#FFFFFF; font-weight:bold; ">
<td>DC</td>
<td>DN</td>
<td>CN</td>
<td>HR DATA</td>
<td>CLASS</td>
</tr>
<cfoutput query="qldap">
<cfset mylist=objectclass>
<cfif listcontains(mylist, "user", ",")>
<cfset myurl="cfldapuser.cfm">
<cfelse>
<cfset myurl="cfldaptop.cfm">
</cfif>
<tr>
<td>(#currentrow#) #dc#</td>
<td><a href="#myurl#?startpt=#dn#&dom=#url.dom#">#dn#</a></td>
<cfset mylist=objectclass>
<td>#cn# (#displayname#)</td>
<td>#employeeid#</td>
<td>#objectclass#</td>
</tr>
<cfset myname=cn>
</cfoutput>
</table>
<cfif qldap.recordcount eq 1000>
<cfoutput>
<a href="cfldaptop.cfm?startpt=#url.startpt#&next=#myname#&dom=#url.dom#">Next
Batch</a>
</cfoutput>
</cfif>
<br>

</cfif>

[Christopher Peltier]

Sorry for the long delay in response, I went on vacation for a couple of
weeks, then forgot that I posted...hehehehe

Anyway, the thing that I was missing seems to be the
USERNAME="us...@domain.com". It seems to be working as I expected now.

As far as my plans, I am going to start off by checking on password expiry
and generating a weekly report. Probably going to email the mac users in my
office, since they never seem to know when it expires. Aside from that, I
would like to setup a custom tool for reseting passwords and the
like...basically the same functions that I have in vb, but on a our intranet
so our admins can have easy access to it through vpn.

Thanks again for all your help!

-Chris

"Michael" <webfor...@macromedia.com> wrote in message
news:c85eh2$kd5$1...@forums.macromedia.com...