Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > User objects cannot be created in the specified container

Reply
Thread Tools

User objects cannot be created in the specified container

 
 
chand
Guest
Posts: n/a
 
      07-20-2007
Hi,

I am using ActiveDirectoryProvider to authenticate users (AD). If I
point my provider to the root of AD every thing works fine.

If I point the provider to a CN which has a group of users under a
nested container under root I am getting the following error.

Root --> OU1--> OU12--> CN

My connection is pointing to the CN.


"User objects cannot be created in the specified container"

I tried reflect over the AD provider and found that the provider is
failing at the following method,

DirectoryAttribute objectClass =
response.Entries[0].Attributes["objectClass"];
if (!this.ContainerIsSuperiorOfUser(objectClass))
{
throw new
ProviderException(SR.GetString("ADMembership_Conta iner_not_superior"));
}
Is there a problem with configuration of AD?

Thanks,
chand

 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      07-20-2007
What type of object is the CN=xxx object? If it is not an OU or a
container, this won't work. It sounds like you are trying to use a group
object. Groups are not container types.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"chand" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hi,
>
> I am using ActiveDirectoryProvider to authenticate users (AD). If I
> point my provider to the root of AD every thing works fine.
>
> If I point the provider to a CN which has a group of users under a
> nested container under root I am getting the following error.
>
> Root --> OU1--> OU12--> CN
>
> My connection is pointing to the CN.
>
>
> "User objects cannot be created in the specified container"
>
> I tried reflect over the AD provider and found that the provider is
> failing at the following method,
>
> DirectoryAttribute objectClass =
> response.Entries[0].Attributes["objectClass"];
> if (!this.ContainerIsSuperiorOfUser(objectClass))
> {
> throw new
> ProviderException(SR.GetString("ADMembership_Conta iner_not_superior"));
> }
> Is there a problem with configuration of AD?
>
> Thanks,
> chand
>



 
Reply With Quote
 
 
 
 
chand
Guest
Posts: n/a
 
      07-22-2007
Hi Joe,

Thank you for replying. Yes. CN is a group object. This CN has a list
of members that are allowed to access my application. This
configuration is identical to other CNs used by other applications
like "Business Objects" in the organization.

Unfortunately I don't have much control over the AD configuration. If
we put a test user directly under OU12 every thing works. But now our
Ad admin is not willing to add each user as a container directly under
OU12. His argument is that, this kind of configuration won't allow
users to be under another OU which can be used by some other
application in the organization. I am not sure whether that is a
correct assumption.

Is there any way to configure the AD to give a User, access to
multiple OUs without using group?

Thank you,
chand


 
Reply With Quote
 
chand
Guest
Posts: n/a
 
      07-22-2007
Hi Joe,

Thank you for replying. Yes. CN is a group object. This CN has a list
of members that are allowed to access my application. This
configuration is identical to other CNs used by other applications
like "Business Objects" in the organization.

Root --> OU1--> OU12--> CN (group)

1. If I point the connection to Root, every thing works fine. But this
would allow every one in the organization to access my application.
The goal is to restrict access to a group of users

2. If I point the LDAP connection to OU12, I am not getting the above
error. However provider's 'ValidateUser' method is returning false for
any member in the CN group. Either this method is not searching the
group or not finding the users in the group. I am using
sAMAccountName attribute.

3. If we put a test user directly under OU12 every thing works. Is
this the only way to configure AD to work with
ActiveDirectoyMembershipProvider? Using the groups under OUs seems to
be the reasonable option as this allows the admin to manage users
without worrying about different applications.

Thank you,
chand

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      07-22-2007
Groups are not containers. Groups have membership. These are totally
different things. In order to get users provisioned into the directory,
they will have to be in a container. They can be in only one container in
the hierarchy (think of it like a folder in a file system). Examples of
container classes include organizational units and containers.

Objects can be members of multiple groups. The membership of an object in a
group is not related to its location in the directory hierarchy.

So, you'll need to provision your users to a container. As to how to get
them to a member of a group, you can do that in code as well, but I don't
think it is supported by the membership provider by default. You would need
to implement that logic yourself.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"chand" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi Joe,
>
> Thank you for replying. Yes. CN is a group object. This CN has a list
> of members that are allowed to access my application. This
> configuration is identical to other CNs used by other applications
> like "Business Objects" in the organization.
>
> Root --> OU1--> OU12--> CN (group)
>
> 1. If I point the connection to Root, every thing works fine. But this
> would allow every one in the organization to access my application.
> The goal is to restrict access to a group of users
>
> 2. If I point the LDAP connection to OU12, I am not getting the above
> error. However provider's 'ValidateUser' method is returning false for
> any member in the CN group. Either this method is not searching the
> group or not finding the users in the group. I am using
> sAMAccountName attribute.
>
> 3. If we put a test user directly under OU12 every thing works. Is
> this the only way to configure AD to work with
> ActiveDirectoyMembershipProvider? Using the groups under OUs seems to
> be the reasonable option as this allows the admin to manage users
> without worrying about different applications.
>
> Thank you,
> chand
>



 
Reply With Quote
 
chand
Guest
Posts: n/a
 
      07-23-2007
OK. We made our application users, members of a group and assigned
that group to a OU container. And I am using the container as my
connection string. But it appears that asp.net membership provider
cannot Bind the users of that group. It simply returns invalid login
attempt error. Could it be that provider doesn't support users of a
group under a container?

Thanks,
chand

 
Reply With Quote
 
jimkatoe@gmail.com
Guest
Posts: n/a
 
      08-23-2007
On Jul 23, 9:09 am, chand <(E-Mail Removed)> wrote:
> OK. We made our application users, members of a group and assigned
> that group to a OU container. And I am using the container as my
> connection string. But it appears that asp.net membership provider
> cannot Bind the users of that group. It simply returns invalid login
> attempt error. Could it be that provider doesn't support users of a
> group under a container?
>
> Thanks,
> chand


The users must be child objects of that container for your
configuration to work. As you have it the Group is a child of the
container which is not the same thing. The Group is an object, and
users are objects. But the membership of the group is just a
property. Therefore the binds will fail.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
AD Provider,SSL port and error : The container specified in theconnection string does not exist siddharthkhare@hotmail.com ASP .Net 1 12-19-2008 08:36 PM
Another cannot delete: Directory cannot be created error message 123@nowhere.com Computer Support 3 01-16-2007 07:48 PM
Active Directory Authentication: the container specified in the connectionstring cannot be found Theon Greyjoy ASP .Net 0 10-20-2006 07:22 PM
Accessing a container objects state from aggregated objects Derek Basch Perl Misc 4 08-16-2006 09:04 AM
are the objects created in the stack guarranted to have been created? jimjim C++ 12 06-03-2005 12:57 PM



Advertisments