C# code to grant rights in AD using LDAP RRS feed

  • Question

  • User1757181831 posted

    Hi, i am new to AD. Can someone tell how to grant read rights to an user to a container in AD. I have the user's DN (e.g. cn=user1,cn=user,dc=mydmain,dc=com) and i want to give read right to this user on the container: cn=user,dc=mydomain,dc=com.

    I have an object "connection" of type "LdapConnection",

    i have an object "modification" of type LdapModification which contains "attribute" which specifies the property "acl" to be modified by user's DN. 

     Perhaps a call like this : connection.modify(<container>, modification)

    I need it using C# code.


    thanks a lot !!

    Monday, March 16, 2009 4:56 AM

All replies

  • User-1557807525 posted
     <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>public void SetSecurity(string folderPath, string groupName)<o:p></o:p>{<o:p></o:p>DirectoryInfo objDirectoryInfo = null;<o:p></o:p>DirectorySecurity objDirectorySecurity = null;<o:p></o:p>FileSystemAccessRule objRule = null;<o:p></o:p>try<o:p></o:p>{<o:p></o:p>objDirectoryInfo = new DirectoryInfo(folderPath);<o:p></o:p>objDirectorySecurity = objDirectoryInfo.GetAccessControl();<o:p></o:p>objRule = new FileSystemAccessRule(Environment.MachineName + @"\" + groupName,<o:p></o:p>FileSystemRights.ExecuteFile,<o:p></o:p>AccessControlType.Allow);<o:p></o:p>objDirectorySecurity.AddAccessRule(objRule);<o:p></o:p>objDirectoryInfo.SetAccessControl(objDirectorySecurity);<o:p></o:p>}<o:p></o:p>finally<o:p></o:p>{<o:p></o:p>objDirectoryInfo = null;<o:p></o:p>objDirectorySecurity = null;<o:p></o:p>objRule = null;<o:p></o:p>}<o:p></o:p>}<o:p></o:p> <o:p></o:p>public void AddUser(string groupName, string userName, string password)<o:p></o:p>{<o:p></o:p>System.DirectoryServices.DirectoryEntry objGroup = null;<o:p></o:p>objGroup = ActiveDirectory.Children.Find(groupName, "group");<o:p></o:p>System.DirectoryServices.DirectoryEntry objUser = null;<o:p></o:p>try<o:p></o:p>{<o:p></o:p>objUser = ActiveDirectory.Children.Find(userName, "user");<o:p></o:p>}<o:p></o:p>catch { }<o:p></o:p>if (objUser == null)<o:p></o:p>{<o:p></o:p>objUser = ActiveDirectory.Children.Add(userName, "user");<o:p></o:p>//objUser.CommitChanges();<o:p></o:p>objUser.Invoke("Put", new object[] { "Description", "Created by LMS for Group " + groupName });<o:p></o:p>//objUser.CommitChanges();<o:p></o:p>}<o:p></o:p>objUser.Invoke("SetPassword", new object[] { password });<o:p></o:p>//password never expires prop set ..<o:p></o:p>int flags = 0x10000;<o:p></o:p>objUser.Invoke("Put", new object[] { "UserFlags", flags });<o:p></o:p>//Saves changes that are made to a directory entry to the underlying directory store.<o:p></o:p>objUser.CommitChanges();<o:p></o:p>objGroup.Invoke("Add", new object[] { objUser.Path.ToString() });<o:p></o:p>objGroup.CommitChanges();<o:p></o:p>objUser.RefreshCache();<o:p></o:p>objUser = null;<o:p></o:p>objGroup = null;<o:p></o:p>}<o:p></o:p>


    Monday, March 16, 2009 7:36 AM
  • User-1557807525 posted

    Sorry my code segment got in to wrong shape.

    objRule = new FileSystemAccessRule(Environment.MachineName + @"\" + groupName, FileSystemRights.ExecuteFile,AccessControlType.Allow);

    This is what you required to modify

    Monday, March 16, 2009 7:46 AM
  • User1757181831 posted

    thanks Hari,

    Can you confirm that this code is for granting rights to a container and not file. Because i did not find the "DN entry of container" as a parameter, that's why got this doubt. Also, is there a way where i can use the "connection.modify" utility because i already have an object pf type connection (of type LdapConnection). Somewhere i found this code . i am writing a snippet...

    LdapAttribute attribute = new LdapAttribute("acl", new String[] {<some_code_for_granting rights>});

    LdapModification modification = new LdapModification(LdapModification.ADD, attribute);

    connection.Modify(containerDN, modification);

    As you can see here , i use "containerDN" as the container where a user has to be given read rights.....By doing some changes, if it works for AD, then great!!

    Can you help in this direction...It will be very helpful



    Tuesday, March 17, 2009 1:57 AM
  • User-1557807525 posted

    Yes my code does you can give try in local web site

    Tuesday, March 17, 2009 2:25 AM