locked
LDAP query for user information.? RRS feed

  • Question

  • User1801871119 posted

    Hi Folks,

    I am trying to authinticate user (who opens web application using browser) without attempting him to enter userID and password.

    Senario

    this application is for corporate and i have an access to LDAP path which is like (ldap-server.eu.XXXXXXX.XXX)

    Problem

    after lot of reaserch i found few ways of using ldap. but still i cant figure out how to direct my ldap query to particular user. without entering userID and password and extract his email etc information on my form.

    I used few examples to test my applucation but everything failed. then i tried to point the

    objSearch.SearchRoot = New DirectoryEntry(LDAP://Ldap-Server.eu.xxxxx.xxx)

    'Commented tried ' objSearch.SearchRoot = New DirectoryEntry(LDAP://Ldap-Server.eu.xxxxx.xxx/cn=username,cn=domain) but it show error. Then i downloaded the beaverTails Tree viewer then i was able to see my list of departement (all users for whome this application will work for) in a tree view like this  eu > OU=GBR > Ou=Users > CN = surname, firstName.

    So, now i know my directory structure, but how to achieve it. and how to get the details of this user (email, phone etc.)

    any code example or tutorial will be great help.

    hope this is clear.

    Thursday, April 19, 2007 6:50 AM

Answers

  • User-319574463 posted

     When running under VS2005 Debug, the process runs under an account at the domain level, whereas the web site is normally a local machine account.  There are two ways that I know of to handle this problem. Either way involves using an account known to the domain.

    1. Extract the information in AD to a database table(s) using a Windows Service.
    2. Run the web site using a domain defined account.
    In each case the account must be:
    • Non-expiring password
    • Very complex password like !W3d!f&P6£
    • Logon right disabled
    As this account is defined at the domain level it will be an authenticated domain user and thus able to access AD using LDAP.
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 29, 2007 4:52 AM

All replies

  • User-319574463 posted

    You started well by downloading BeaverTail.

    Have a look at http://www.codeproject.com/dotnet/ActiveDONavigator.asp  an article describing how to connect to an Active Directory database.

    http://www.codeproject.com/aspnet/adsi1.asp  article on using System.DirectoryServices classes in ASP.NET

    http://www.codeproject.com/aspnet/adsi2.asp  article on using DirectoryServices namespace to enumerate Active Directory Users

    If you find better tutorial articles, please post the links here.

     

    Thursday, April 19, 2007 1:08 PM
  • User-328899591 posted

    hi friend,

    try this code you will get all the details of the users

            DirectoryEntry entryRoot = new DirectoryEntry("LDAP://RootDSE");
            string domain = (string)entryRoot.Properties["defaultNamingContext"][0];
            string domainpath = "LDAP://" + domain;

            DirectoryEntry searchRoot = new DirectoryEntry(domainpath);
            DirectorySearcher search = new DirectorySearcher(searchRoot);
            search.Filter = "(&(objectClass=user)(objectCategory=person))";

            SearchResult result;
            search.PageSize = 1000;
            SearchResultCollection resultCol = search.FindAll();

                for (int counter = 0; counter < resultCol.Count; counter++)
                {
                    result = resultCol[counter];
                    result.Properties["givenName"][0];
                    result.Properties["initials"][0];
                    result.Properties["sn"][0]; 

                }
     

     

    you can get all the details like

    [0]: "homemdb"
        [1]: "countrycode"
        [2]: "cn"
        [3]: "msexchuseraccountcontrol"
        [4]: "mailnickname"
        [5]: "msexchhomeservername"
        [6]: "msexchhidefromaddresslists"
        [7]: "msexchalobjectversion"
        [8]: "usncreated"
        [9]: "objectguid"
        [10]: "msexchrequireauthtosendto"
        [11]: "whenchanged"
        [12]: "memberof"
        [13]: "accountexpires"
        [14]: "displayname"
        [15]: "primarygroupid"
        [16]: "badpwdcount"
        [17]: "objectclass"
        [18]: "instancetype"
        [19]: "msmqdigests"
        [20]: "objectcategory"
        [21]: "samaccounttype"
        [22]: "whencreated"
        [23]: "lastlogon"
        [24]: "useraccountcontrol"
        [25]: "msmqsigncertificates"
        [26]: "samaccountname"
        [27]: "userparameters"
        [28]: "mail"
        [29]: "msexchmailboxsecuritydescriptor"
        [30]: "adspath"
        [31]: "lockouttime"
        [32]: "homemta"
        [33]: "description"
        [34]: "msexchmailboxguid"
        [35]: "pwdlastset"
        [36]: "logoncount"
        [37]: "codepage"
        [38]: "name"
        [39]: "usnchanged"
        [40]: "legacyexchangedn"
        [41]: "proxyaddresses"
        [42]: "userprincipalname"
        [43]: "admincount"
        [44]: "badpasswordtime"
        [45]: "objectsid"
        [46]: "msexchpoliciesincluded"
        [47]: "mdbusedefaults"
        [48]: "distinguishedname"
        [49]: "showinaddressbook"
        [50]: "givenname"
        [51]: "textencodedoraddress"
        [52]: "lastlogontimestamp"

    Friday, April 27, 2007 8:22 AM
  • User1801871119 posted

    HI

    I tried but its taking ages to load. i need something fast. like i said if i use userID and password. It works fine.

    but i dont want users to enter userID and password. I can get user id very easily from system name.(as its a corporate network i am working in)

    but i cant get password from anywhere. Or if there is any way to query without password using ldap url and userID.

     Hope to hear from you soon.

    Jag

    Tuesday, May 8, 2007 5:30 AM
  • User1801871119 posted

    Hi folks,

    If i use this code it works fine, but i want something where i dont have to use password. any help will be appreciated. 

    Dim rootEntry As New DirectoryEntry(ldapServerName, userID, Password)

    Dim searcher As New DirectorySearcher(rootEntry)

    searcher.PropertiesToLoad.Add("cn")

    searcher.PropertiesToLoad.Add("mail")

    'searcher.PropertiesToLoad.AddRange(New String() {"cn", "mail"})

    'would also work and saves you some code

    searcher.Filter = "(&(anr=jagjot)(objectCategory=person))"

    Dim results As SearchResultCollection

    results = searcher.FindAll()

    Dim result As SearchResult

    For Each result In results

    Me.eName.Text = result.Properties("cn")(0)

    Me.eMail.Text = result.GetDirectoryEntry.Properties.Item("mail").Value

    Me.eEmpNo.Text = result.GetDirectoryEntry.Properties.Item("employeeID").Value

    Me.ePhone.Text = result.GetDirectoryEntry.Properties.Item("telephoneNumber").Value

    Me.eLocation.Text = result.GetDirectoryEntry.Properties.Item("department").Value

    Me.eEtc.Text = result.GetDirectoryEntry.Properties.Item("PhysicalDeliveryOfficeName").Value

    Me.eTitle.Text = result.GetDirectoryEntry.Properties.Item("title").Value

    Next

    Thanks in advance.

     

    Wednesday, May 9, 2007 5:44 AM
  • User1801871119 posted

    HI, is there any one who knows about LDAP. how to retrive user details without password.

    (i looked everywher on internet. Book libraries etc. but no luck.)

    Help GOD.

    Friday, May 25, 2007 5:06 AM
  • User-319574463 posted

    The access required will depend on how your network administrators have configured the LDAP access. Normally a logged in user on the domain has read-only access. Have you downloaded beavertail and tried to run it? I have used Beavertail to explore the A/D tree, and then used the code to retrieve user details.

    Saturday, May 26, 2007 2:02 AM
  • User1801871119 posted

    Yes. i used it and i can see user information.

    but when i run this code on my local machine (where i am logged on) i can view my user details without password.

    but when i try from my work collegue's machine it dosent work(code is in my local system i am using ip address to test from other systems).

    but i can view his login name on his system on my web page. (as i am using login name to poppulate the user information.)

    Thanks in advance.

    Jag

    Tuesday, May 29, 2007 3:19 AM
  • User1801871119 posted

    HI Folks,

    here is code i am using which works fine, when i run it using VS2005 debug(when press debug it works fine in IE browser). but when i try same thing using my localhost/web/page.aspx. i get bad password error : everything is below please have a look.

    xxxxxxxx  CODE  xxxxxxxxx

    Private Sub ldapUserInfoOne()

    Dim dirObject As New DirectoryEntry("LDAP://ldap-server.eu.company.net")

    Dim searcher As New DirectorySearcher(dirObject)

    searcher.Filter = "sAMAccountName=" + "yds3k5k3"

    searcher.PropertiesToLoad.Add("cn")

    Dim sr As SearchResult = searcher.FindOne

    Dim strVal As String = sr.Properties("cn").Item(0).ToString

    Response.Write(strVal)

     

    End Sub

    xxxxxxxxxxxx ERROR xxxxxxxxxxx when run in browser localhost

    Server Error in '/eSupport' Application.

    Logon failure: unknown user name or bad password.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.DirectoryServices.DirectoryServicesCOMException: Logon failure: unknown user name or bad password.


    Source Error:

    Line 56: 
    Line 57:         'Make a serach result
    Line 58:         Dim sr As SearchResult = searcher.FindOne
    Line 59: 
    Line 60:         'You'll need to make a string to hold the value and set it to the inumerated value

    Source File: C:\Inetpub\wwwroot\eSupport\LdapFinalTest.aspx.vb    Line: 58

    Stack Trace:

    [DirectoryServicesCOMException (0x8007052e): Logon failure: unknown user name or bad password.
    ]
       System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +610
       System.DirectoryServices.DirectoryEntry.Bind() +36
       System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
       System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) +73
       System.DirectoryServices.DirectorySearcher.FindOne() +42
       eSupport.LdapFinalTest.ldapUserInfoOne() in C:\Inetpub\wwwroot\eSupport\LdapFinalTest.aspx.vb:58
       eSupport.LdapFinalTest.Page_Load(Object sender, EventArgs e) in C:\Inetpub\wwwroot\eSupport\LdapFinalTest.aspx.vb:8
       System.Web.UI.Control.OnLoad(EventArgs e) +99
       System.Web.UI.Control.LoadRecursive() +47
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061
    

    Hope to hear from you guys out there.

    Jag

    Tuesday, May 29, 2007 4:38 AM
  • User-319574463 posted

     When running under VS2005 Debug, the process runs under an account at the domain level, whereas the web site is normally a local machine account.  There are two ways that I know of to handle this problem. Either way involves using an account known to the domain.

    1. Extract the information in AD to a database table(s) using a Windows Service.
    2. Run the web site using a domain defined account.
    In each case the account must be:
    • Non-expiring password
    • Very complex password like !W3d!f&P6£
    • Logon right disabled
    As this account is defined at the domain level it will be an authenticated domain user and thus able to access AD using LDAP.
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 29, 2007 4:52 AM
  • User1801871119 posted

    I cannot use the first method becouse of size of AD. its huge almost 60,000 employees.

    second will take me long time to get through. but thats the only way you mean right?

    But, i wonder (when i print something from my machine on prints. it displays my details on banner sheet of print out.) how?.

    So, there is no other way except service account in domain level.?

    Thanks for your help. i found one tutorial very useful (exactly what you said). but for other viewers could be useful.

    http://support.microsoft.com/kb/329986#top

    Article ID : 329986
    Last Review : May 19, 2005
    Revision : 5.0

    i will close the thread when i will accomplish this goal. with a solution info.

    I cannot sleep unless i will solve this problem. Its coming in my dreams now. OHHH. Help.

    Regards

    Jag

    Tuesday, May 29, 2007 7:39 AM
  • User-319574463 posted

    >>I cannot use the first method becouse of size of AD. its huge almost 60,000 employees.
    Given the size of you will need to break down the query into fetches of no more than 1000 records (this is an LDAP implementation issue).

    >>second will take me long time to get through. but thats the only way you mean right?
    Yes and yes, however it does have the virtue that it can be done overnight.

    >>But, i wonder (when i print something from my machine on prints. it displays my details on banner sheet of print out.) how?.
    This is a good question, however it more likely to be answered on one of the MSDN forums.

    >>So, there is no other way except service account in domain level.?
    You need to refer this one to your domain admins, but it it likely that it will have to be domain account.

    Wednesday, May 30, 2007 1:13 PM
  • User1820087368 posted

    simple solution is

    add folowing line in web.config

    <configuration>
    <system.web>
    <identity impersonate="true"/>
    </system.web>
    </configuration>

     

    Wednesday, September 26, 2007 5:30 AM
  • User238496256 posted

    similar to this problem, I am also using LDAP for username and password input but my problem is that, when I encounter the error

    Logon failure: unknown user name or bad password. it should display a messagebox to catch the exception. I already tried using this method:

    <customErrors mode="RemoteOnly" defaultRedirect="ErrorPage.aspx">

    <error statusCode="403" redirect="NoAccess.htm" />

    <error statusCode="404" redirect="FileNotFound.htm" />

    </customErrors>

    but to no extend it does not work. any help guys??

    Tuesday, July 8, 2008 10:54 PM
  • User1801871119 posted

    If i understand you right. 

    if you are trying to display a message box when execption is generated : you cannot do it using c# or vb.net.  but, you can always redirect your page to custom error page..

    but your error looks like Authintication error. ? please be more clear what you are after..

    Regards

    Thursday, July 10, 2008 7:16 AM
  • User238496256 posted

    guess i already figure it out though.. thanks guys for the input.. [:P]

    Friday, July 11, 2008 3:11 AM