The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Nested LDAP Queries in (.NET4.6) C# using 1.2.840.113556.1.4.1941 syntax RRS feed

  • Question

  • I am building a console app in C# , .NET 4.6.1 to experiment with LDAP Queries using the code below.  This is currently on premise, but we'll be moving to Azure soon. 

    My Code :  

    using (var parentEntry = new DirectoryEntry("LDAP://" + Environment.UserDomainName))
       using (var directorySearch = new DirectorySearcher(parentEntry))
                {
                    directorySearch.PageSize = 10000;
                    directorySearch.Filter = "(objectClass=group)";
                    foreach (SearchResult searchEntry in directorySearch.FindAll())
                        {                      
                            var entry = new DirectoryEntry(searchEntry.GetDirectoryEntry().Path);
                            if (entry.Properties["sAMAccountName"].Value != null)
                            {
                                Console.WriteLine(entry.Properties["sAMAccountName"].Value.ToString());
                            }
                        }                           
                }

    With individual entries returning the values for OU="MyOrg", DC="MyDC" , DC= "ad"  

    Simple flat queries, such as "(objectClass=group)" work fine, but anything more complex involving tree walking always returns an empty set for directorySearch.FindAll().  

    I am sure there is an issue in the filter, & have tried the following variants and I am not sure what I am doing wrong: 

    directorySearch.Filter = "(member:1.2.840.113556.1.4.1941:=cn=MyGrp,OU=MyOrg,DC=MyDC,DC=ad)";
    directorySearch.Filter = "(member:1.2.840.113556.1.4.1941:=cn=MyGrp,OU=*,DC=*,DC=*)";
    directorySearch.Filter = "(member:1.2.840.113556.1.4.1941:=cn=MyGrp)";
    directorySearch.Filter = "(member:1.2.840.113556.1.4.1941:=cn=MyGrp)";name; subtree
    directorySearch.Filter = "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGrp,OU=MyOrg,DC=MyDC,DC=ad)";
    directorySearch.Filter = "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGrp,OU=*,DC=*,DC=*)";
    directorySearch.Filter = "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGrp)";
    directorySearch.Filter = "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGrp)";name; subtree

    With the following parm set or unset for each attempt      

      //     directorySearch.SearchScope = SearchScope.Subtree;

    I wish to query both a user's AD membership and the member / memberof / groups attributes for mid tree AD Groups ( like Group B below )    

    Group A

         -Group B 

              -Group C

                      - User1

                      - User2

    I already have a tree walk solution for that, but its quite slow,& this approach is meant to be quicker.  

    All ideas gratefully received

    I am confident that the problem is in the query filter, but I have never used LDAP queries before 

                           

    Thanks, Richard




    Richard

    Wednesday, October 23, 2019 10:03 AM

Answers

  • Hello Richard Scannell, 

    It looks like there are some issues with your LDAP Search query.

    I would suggest taking a look at this tutorial for further help on that. https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

    Specifically for this query : 

    (member:1.2.840.113556.1.4.1941:=cn=MyGrp,OU=MyOrg,DC=MyDC,DC=ad)

    You would want it to be like this : 

    (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=mygrp,ou=myou,dc=company,dc=com)))

    Accordingly depending on if the objectcategory you're looking for is in fact person. 

     Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    Thursday, October 24, 2019 12:23 AM
    Moderator

All replies

  • Hello Richard Scannell, 

    It looks like there are some issues with your LDAP Search query.

    I would suggest taking a look at this tutorial for further help on that. https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

    Specifically for this query : 

    (member:1.2.840.113556.1.4.1941:=cn=MyGrp,OU=MyOrg,DC=MyDC,DC=ad)

    You would want it to be like this : 

    (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=mygrp,ou=myou,dc=company,dc=com)))

    Accordingly depending on if the objectcategory you're looking for is in fact person. 

     Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    Thursday, October 24, 2019 12:23 AM
    Moderator
  • Hi Frank

    Thanks for the reply.   I found that my CN: query was incorrect, it did not contain all the elements I needed.  I was treating it as a where clause, instead of a path.  Once I'd navigated to the correct start record & put its path into the query, then everything worked fine. 

    Thanks again 

    Richard


    Richard

    Thursday, October 24, 2019 6:30 AM