C++ Active Directory Lookup

Question

Hello,

I have a web program that is written in C++.  It need to validate the a user has entered in a valid username/password from a web page and validate it against Active Directory.  After the username/password has been validated properly, I need to ensure that the given user belongs to a certain security group within Active Directory.  If they belong to the given group, I will allow them access to the web page.

Any idea on on how to get this done?

Thanks,
Chris 

Answer 1

Hi Chris,

Based on my understanding, you are looking for a way to access the AD and query the AD objects.

 

Generally, to access the Active Directory, we use Active Directory Service Interfaces (ADSI) is a COM-based programmatic interface for Microsoft Windows Active Directory that allows you to create custom scripts to administer Active Directory. ADSI-enabled scripts are capable of performing a wide range of administrative tasks involving Active Directory. Active Directory administration involves managing the life cycle of directory objects from initial creation, modification, searching to deletion. Here is more detail information about ADSI http://msdn.microsoft.com/en-us/library/aa772170(VS.85).aspx and detail reference about how to use ASDI at http://msdn.microsoft.com/en-us/library/aa746512(VS.85).aspx

 

If you are using managed C++, C++/CLI, you may need the .net version of ADSI.  In the .NET Framework, System.DirectoryServices (SDS) is a namespace that provides simple programming access to LDAP directories such as Active Directory from managed code. System.DirectoryServices is built on the Active Directory Service Interfaces (ADSI) API. More detail information, please check http://msdn.microsoft.com/en-us/library/ms817845.aspx

 

In addition, WMI is another approach for this issue. Windows makes Active Directory accessible through WMI by creating a set of references to every class and object contained in Active Directory. By accessing the Directory Services provider through WMI, you can create WMI-enabled applications that can access the wealth of information contained in Active Directory. You can write a WMI query either using native C++ and managed C++. Here is the WMI reference: http://msdn.microsoft.com/en-us/library/aa384689(VS.85).aspx

 

Since this is Windows Developing issue, for your future concern, please visit our Windows Developing forum.

 

Hope the information helps.

Yi

 

 

---

Yi Feng Li [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 2

Hello,

I am writing to check the status of the issue on your side.  Would you mind letting us know the result of the suggestions? 

Yi

---

Yi Feng Li [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 3

Yi,

Sorry for not getting back to this thread sooner.  Thanks for all of your help!  So far, I have been able to completed the first part of my task, verifying the users username and password. (I should have mentioned in my original message that i am using unmanaged C++.)  My code is...

	HRESULT hr;	
	IADs *pObject;

	hr = ADsOpenObject(L"LDAP://...",
					  L"cn=*username*,dc=*,dc=*",
					  L"*password*", 
					  ADS_SECURE_AUTHENTICATION,
					  IID_IADs,
					  (LPVOID*)&pObject); 

	if (SUCCEEDED(hr))
	{
		// Verify that user belongs to a specific group...

		pObject->Release();
	}

Now, I am in the process of verifying if the given member is part of a security group.  What is the best way to do this?  Utilizing an IDirectorySearch and ExecuteSearch?  I am trying this route to check the memberOf attribute for a given security group but haven't figured it out yet.  Do you have any additional ideas on this?

Thanks,
Chris

Answer 4

i think this blog can help you http://codebrane.com/blog/?p=722

---

NEU_ShieldEdge

Answer 5

This wasn't quite what I was looking for.  It was great for showing how to create a new active directory user.  I am looking for more on how to check which groups an existing user belongs to.

Thanks,
Chris 

Answer 6

Hi Chris,

 

I just found some sample codes about creating a user in Active Directory

Example Code for Creating a User

And

Example Code for Using the Global Catalog to Find Users in a Forest

 

I hope these information can help you to solve this problem.

 

Best regards,

Jesse

---

Jesse Jiang [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 7

Hi,

Once you validated user, instead of iterating through all users using ExecuteSearch(), you can directly open object for user whose information is needed. And extract value of 'memberOf' attribute, which will be array if user belongs to many groups.

Then iterate through all values and compare it with required group. If it is found, user belongs to that group.

HRESULT hr;
IADs *pObject;

hr = ADsOpenObject(L"LDAP://...",
  L"cn=*username*,dc=*,dc=*",
  L"*password*",
  ADS_SECURE_AUTHENTICATION,
  IID_IADs,
  (LPVOID*)&pObject);

VARIANT var;

InitVariant(&var);

 if (SUCCEEDED(hr))
{
// Verify that user belongs to a specific group...

pObject->Get(L"memberOf", &var);

//......

  pObject->Release();
}

Hope this explanation will help.

 

---

Raman

Answer 8

Got it working!  Thanks for all of your help.

Thanks,
Chris 

Answer 9

Hello Christopher,

How did u execute the code ? How did u add libraries for execution ?

I am a newbie and need inputs to retrieve an attribute of an user for AD via C++ (not using Visual C++). 

Thanks in advance.

Regards,

D. Anand Kumar

Answer 10

There is sample code from Microsoft on Github, you can try that from below link.
https://github.com/Microsoft/Windows-classic-samples/tree/master/Samples/Win7Samples/netds/adsi/activedir

---

Windows 7 Font Exception