LDAP Query

Question

User1415440864 posted

Hello!

I need to use a LDAP query to check if the user is an admin of the web application from the AD. I am pretty much clueless with anything that pertains to the AD. it should be something like this:

SELECT ADsPath FROM LDAP://domainname/DC=""/DC="",DC="" WHERE samAccountName = "" & userID & AND objectCategory='Person'

Is this even close?

In the Log In page, the user types in two boxes their username and password and it checks if they are admin or not then direct them to the right page.

Admin=Propertylisting.aspx
Users = AddProperty.aspx

I hope I am making any sense at all.

Thanks in advance!

Answer 1

User1354132231 posted
If you are using System.DirectoryServices (which you should), you are way off (sorry!). SDS uses standard LDAP query format (e.g. "(&(objectCategory=person)(sAMAccountName={0}))").  However, even this is not the right choice here.  If you are using Integrated Windows Auth (IWA), you should be using HttpContext.Current.User.IsInRole("rolename") here.  Even if you were using custom authentication, you should be populating your principal object and using the IsInRole functionality.

I would recommend reading Fritz Onion's ASP.NET book (the new one coming or even the old one) for ASP.NET things like this.  I would of course recommend my own book for learning how to interact with Active Directory using SDS.  You can at least download the samples and a sample chapter to get more ideas on how this is done with SDS from the book's website (see the sticky post for more samples details).

Answer 2

User1415440864 posted

Actually, I tried using the IsinRole but it seems to be not working. I have asked one of the admins if the group's name was correct. When I try to log in, it takes me to AddProperty instead of PropertyListing.aspx. Here is the code. Am I doing something wrong? Thank you.

 

Protected Sub btnLogIn_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogIn.Click
        Dim Properties As String() = New String() {"sAMAccountName"}

        'verify user credentials against the active directory
        Dim ADUser As SearchResult = FindADUser(Properties)

        If Not IsNothing(ADUser) Then
            'if login names match, then authentication was succesful
            If ADUser.Properties("sAMAccountName")(0).ToString.ToUpper = txtUserName.Text.ToUpper Then
                If User.IsInRole("MAC/HW/MAC-ALL-RiskPropertyAdmins") Then
                    Response.Redirect("PropertyListing.aspx")
                Else
                    Response.Redirect("AddProperty.aspx")
                End If
            Else
                ShowError()
            End If
        Else
            ShowError()
        End If

    End Sub

Private Function FindADUser(ByVal Properties As String()) As SearchResult
        Dim Filter As String = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + txtUserName.Text + "))")
        Dim Entry As New DirectoryEntry(AppSettings("LdapPath"), txtUserName.Text, txtPassword.Text)
        Dim Searcher As New DirectorySearcher(Entry, Filter, Properties)
        Try
            Return Searcher.FindOne()
        Catch ex As Exception
            Return Nothing
        End Try
    End Function

Answer 3

User1354132231 posted
The problem is with your parameters to the IsInRole method.  If you check the principal in 2.0, you should see a listing of the user's groups.  In 1.1, you need to use the debugger and see the 'm_roles' private variable.  In there, you should see a listing of the roles for the user.  It is looking for that string specifically.  For AD, this is going to look like "domain\username".  It will never look like "xx\yy\something".

If you are checking one of the 'built-in' roles, you do not use the domain prefix, but you use the localized version of the word "builtin".  So, checking for a Administrator on a US en server would be "BUILTIN\Administrator".  However, since "BUILTIN" is not the same for every version of windows (it will be localized), you should use the WindowsBuiltinRoleEnumeration instead for these groups.

Finally, your FindADUser() function is a little fragile.  First, you need to be calling Dispose() on the DirectoryEntry (in every case, everywhere, all the time on DirectoryEntry).  Use the new "Using" statement in VB.NET or a Try/Finally statement to do this.  Secondly, you are tossing away the error information.  You might be failing for any number of reasons and you are ignoring it...  I suspect when you deploy this code to a production server it will fail and you will not have any idea why.

Answer 4

User1415440864 posted

Once again, thank you for helping.

How do I check the principal? I am using the 2.0. Sorry, I am still kind of a semi-newbie!

Answer 5

User1415440864 posted
Also, that group that im trying to find is not a Builtin.

Answer 6

User1354132231 posted

Once again, thank you for helping.

How do I check the principal? I am using the 2.0. Sorry, I am still kind of a semi-newbie!

The Principal object in this case is HttpContext.Current.User.  Just look at it in your debugger and inspect its members.  It will either be a WindowsPrincipal or one of the others Generic or Forms, depending on how you are authenticating.

Answer 7

User1415440864 posted

I got it!! Thanks!

One more thing, can you give me an example of this?

 "First, you need to be calling Dispose() on the DirectoryEntry (in every case, everywhere, all the time on DirectoryEntry).  Use the new "Using" statement in VB.NET or a Try/Finally statement to do this."

Answer 8

User1354132231 posted
I am not a VB.NET guy, so check out this post by Fritz.  You can also search around and see how to use Try/Finally if you are only on .NET 1.1.

Answer 9

User1415440864 posted
Ok thank you for your help!