IsMember and LDAP provider
Howard Bullock
a global group using LDAP. I have a W2K Active Directory
and desire to LDAP. Is there a trick to getting this to
work. The WinNT provider works but is not my perferred
direction as I can not specify the particular DC where to
bind.
Marc Scheuner [MVP ADSI]
>a global group using LDAP. I have a W2K Active Directory
>and desire to LDAP. Is there a trick to getting this to
>work.
What language / system are you using?
In C#/.NET, it's really quite simple:
private void ShowGroupMembership(string strUser)
{
DirectoryEntry de = new DirectoryEntry(strUser);
if (de != null)
{
foreach(object oGroup in de.Properties["memberOf"])
{
Console.WriteLine(oGroup.ToString());
}
}
}
If you use C++ or VB on Win32, have a look at the sample under the
"IADsUser" interface documentation, for the "Groups" method.
IADsUser::Groups
The IADsUser::Groups method obtains a collection of the ADSI group
objects to which this user belongs. The method returns an IADsMembers
interface pointer through which you can enumerate all the groups in
the collection.
Example Code [Visual Basic]
The following code example examines the group membership of a user.
Dim usr As IADsUser
On Error GoTo Cleanup
Set usr = GetObject(strUser) // LDAP://cn=YourUser,.....
For Each grp In usr.Groups
Debug.Print grp.Name & " (" & grp.Class & ")"
Next
Cleanup:
If(Err.Number<>0) Then
MsgBox("An error has occurred. " & Err.Number)
End If
Set usr = Nothing
HTH
Marc
================================================================
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch
anon...@discussions.microsoft.com
enumerate all members and check each one. I would like
information about IADsGroup::IsMember. This methed does
not seem to work when using the LDAP provider. I know I
can get the information different ways.
I want to use the IsMember method. Why does this not work?
bruno postiau
I just got quite the same problem (see my post a couple of lines up)
Check that the returned group name that you check is 'CN=groupname' instead
of 'groupname' like it would be with the Winnt provider.
Hope it helps,
Bruno
<anon...@discussions.microsoft.com> wrote in message
news:0b3201c39d4c$c9d942c0$a401...@phx.gbl...
Howard Bullock
I would say that the LDAP provider is indeed broken and should be fixed.
After some additional testing and LDP.exe views of properties, I find that the M$ implementation just sucks.
The WinNT:// provider works as expected. This is probably because the person that wrote the code checked both the Memberof and PrimaryGroup attributes.
LDP clearly shows that the group designated as the "PrimaryGroup" in not listed in the MemberOf attribute.
Richard Mueller [MVP]
Yes, finding group membership is maddening. I'll only comment that it can be
done. The method you select depends on your purpose, clients, and
circumstances. If you have no nested groups, you can use the WinNT provider.
If you have nested groups (or don't want to bind with both WinNT and LDAP),
the tokenGroups attribute may be your best bet. Even though code using LDAP
can be much longer, my experience is that it is always faster than WinNT.
Shorter code does not mean faster. I have an IsMember function that uses the
tokenGroups attribute, and reveals membership in nested groups and the
"primary" group at this link:
http://www.rlmueller.net/IsMember4.htm
If you are checking for group membership, you could also hard code the group
Sid and check for a match in the tokenGroups multi-valued attribute. That
would be even faster.
Finally, why do you need to bind to the copy of an object on a particular
DC? The only reason I can think of is to retrieve the value of an attribute
that is not replicated.
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
Marc Scheuner [MVP ADSI]
Maybe we need to put the pressure on the .NET team at Microsoft to
incorporate a bit more smarts into the System.DirectoryServices
classes to handle stuff like this for .NET v2.0 :-)
It's really crazy that everyone has to keep inventing these things
again and again......
Valery Pryamikov
In .Net 1.1:
there is WindowsPrincipal constructor that takes one UPN string parameter
(ie. no password).
It works only on W2k3 server (with AD level of W2k3) because it uses
KERB_S4U_LOGON type underneath, but it does return you correct identity
token with all groups SID in place.
-Valery.
"Marc Scheuner [MVP ADSI]" <m.sch...@inova.SPAMBEGONE.ch> wrote in message
news:iorupvs1346staepn...@4ax.com...
Joe Kaplan (MVP - ADSI)
flat list of security groups (including primary group and nested groups).
The trick is that they are SIDs, so you need to do some lookups to translate
the SIDs into friendly names, but it isn't too hard. This solution is nice
too since it just uses LDAP and doesn't have the platform restrictions.
Still, that is a helpful trick.
Joe K.
"Valery Pryamikov" <Valery.P...@nospam.sm.siemens.no> wrote in message
news:%230afuyf...@tk2msftngp13.phx.gbl...
Howard Bullock
I will investigate the tokenGroups.
I can not bind with WinNT as this will bind to the PDC emulator which may not be the same DC where the accounts have been created.
Richard Mueller [MVP]
that it does not reveal "cross-domain" group memberships.
Richard
"Howard Bullock" <hbul...@tycoelectronics.com> wrote in message
news:5DD19AEF-E99B-4CFB...@microsoft.com...