Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > querying AD users

Reply
Thread Tools

querying AD users

 
 
SpaceMarine
Guest
Posts: n/a
 
      07-05-2008
hello,

i havent done any research on this yet and about to, but i wanted to
see if anyone had any recommended links on programmaticly working w/
AD users. (namely, looking up all users that begin w/ a certain
letter, or getting back a list of users matching a first name, etc..)

im building a UI that allows my admin-users to manage other users, its
going to be used for securing access to parts of our apps.


thanks, and ill post what i find.

sm
 
Reply With Quote
 
 
 
 
SpaceMarine
Guest
Posts: n/a
 
      07-06-2008
looks like the DirectoryServices class is where its at for this. the
DirectorySearcher class is used for, well, searching the directory.
there is a .Filter prop for passing in queries:

http://msdn.microsoft.com/en-us/libr...er.filter.aspx

....now i just gotta figure out the proper filter. its LDAP syntax. to
get all users w/ a last name of "A", i think its something like:

.Filter = "(objectClass=user)(lastName >= A)"


sm
 
Reply With Quote
 
 
 
 
SpaceMarine
Guest
Posts: n/a
 
      07-06-2008
On Jul 6, 11:44*am, SpaceMarine <(E-Mail Removed)> wrote:

> * * .Filter = "(objectClass=user)(lastName >= A)"


actually asterik wildcards are supported, so its probably more like

lastName = A*

...will have to play around w/ it in the office.

sm
 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      07-07-2008
On Jul 6, 6:50*pm, SpaceMarine <(E-Mail Removed)> wrote:
> On Jul 6, 11:44*am, SpaceMarine <(E-Mail Removed)> wrote:
>
> > * * .Filter = "(objectClass=user)(lastName >= A)"

>
> actually asterik wildcards are supported, so its probably more like
>
> * *lastName = A*
>
> ...will have to play around w/ it in the office.
>
> sm


Note, that if you run it from the ASP.NET application on a server, in
most cases you may need to implement impersonation in the application,
before you access the AD.

http://support.microsoft.com/kb/306158
 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      07-07-2008
On Jul 6, 6:50*pm, SpaceMarine <(E-Mail Removed)> wrote:
> On Jul 6, 11:44*am, SpaceMarine <(E-Mail Removed)> wrote:
>
> > * * .Filter = "(objectClass=user)(lastName >= A)"

>
> actually asterik wildcards are supported, so its probably more like
>
> * *lastName = A*
>
> ...will have to play around w/ it in the office.
>
> sm


ping
 
Reply With Quote
 
SpaceMarine
Guest
Posts: n/a
 
      07-08-2008
On Jul 7, 1:29*pm, Alexey Smirnov <(E-Mail Removed)> wrote:

> Note, that if you run it from the ASP.NET application on a server, in
> most cases you may need to implement impersonation in the application,
> before you access the AD.


well, id like to avoid impersonation if possible. if my DirectoryEntry
class is instantiated w/ an optional username & password in its
constructor (a service account given to me by our AD admin), then
would i no longer need to impersonate?


sm
 
Reply With Quote
 
Paul Clement
Guest
Posts: n/a
 
      07-08-2008
On Mon, 7 Jul 2008 20:53:34 -0700 (PDT), SpaceMarine <(E-Mail Removed)> wrote:

On Jul 7, 1:29*pm, Alexey Smirnov <(E-Mail Removed)> wrote:

> Note, that if you run it from the ASP.NET application on a server, in
> most cases you may need to implement impersonation in the application,
> before you access the AD.

well, id like to avoid impersonation if possible. if my DirectoryEntry
class is instantiated w/ an optional username & password in its
constructor (a service account given to me by our AD admin), then
would i no longer need to impersonate?

As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
privilege account.

With respect to syntax you would want to include the "and" operator in your query as well:

.Filter = "(&(objectClass=user)(lastName = A*))"

The following link should help you with LDAP query syntax:

http://msdn.microsoft.com/en-us/library/aa746475.aspx


Paul
~~~~
Microsoft MVP (Visual Basic)
 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      07-09-2008
On Jul 8, 5:50*pm, Paul Clement
<(E-Mail Removed)> wrote:
> On Mon, 7 Jul 2008 20:53:34 -0700 (PDT), SpaceMarine <(E-Mail Removed)> wrote:
>
> On Jul 7, 1:29*pm, Alexey Smirnov <(E-Mail Removed)> wrote:
>
> > Note, that if you run it from the ASP.NET application on a server, in
> > most cases you may need to implement impersonation in the application,
> > before you access the AD.
>
> well, id like to avoid impersonation if possible. if my DirectoryEntry
> class is instantiated w/ an optional username & password in its
> constructor (a service account given to me by our AD admin), then
> would i no longer need to impersonate?
>
> As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
> then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
> NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
> privilege account.
>
> With respect to syntax you would want to include the "and" operator in your query as well:
>
> *.Filter = "(&(objectClass=user)(lastName = A*))"
>
> The following link should help you with LDAP query syntax:
>
> http://msdn.microsoft.com/en-us/library/aa746475.aspx
>


sm, you can also move the code for AD to a separated class library
DLL, and refer to it from your main ASP.NET application. You would
need to register that DLL as a COM component (Administrative Tools -
Component Services) using an account that has sufficient permissions
to query AD. In this case you would not need to make an impersonation
within your application and all request to AD would go through the COM
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Missing properties when querying for non-admin users in AD Eric Butler ASP .Net 0 01-07-2005 07:24 PM
problems querying/setting speed/duplex on WS-C3550 via SNMP Bruce Campbell Cisco 0 04-03-2004 02:16 PM
querying for user ip... =?Utf-8?B?c21lbg==?= ASP .Net 1 03-06-2004 02:40 PM
advice on querying DB Mark ASP .Net 1 01-14-2004 02:26 PM
querying a DB and returning Id's - HELP PLEASE Mark ASP .Net 0 01-13-2004 11:15 PM



Advertisments