fine tuning a DirectorySearcher.Filter

Discussion in 'ASP .Net' started by mike, Feb 1, 2007.

  1. mike

    mike Guest

    I'm needing a bit of help to fine tune my Filter property for a
    DirectorySearcher. My context here is for a company phone directory. A
    user enters the string they want to search for (in txtSearch) and hits
    the Fire button.

    The problem is that this picks up disabled accounts which I'd rather
    didn't happen. I basically grabbed this string straight from somewhere
    but don't really know what "anr " means.

    ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person))"

    I tried to change it to the following

    ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
    (AccountDisabled=false))"

    but my search now returns zero results, no matter what. I got this
    property name from the ADSI SDK on microsoft.com.

    Can anyone help?

    Thanks
    Mike
     
    mike, Feb 1, 2007
    #1
    1. Advertising

  2. Hi Mike

    >I'm needing a bit of help to fine tune my Filter property for a
    >DirectorySearcher. My context here is for a company phone directory.
    >The problem is that this picks up disabled accounts which I'd rather
    >didn't happen. I basically grabbed this string straight from somewhere
    >but don't really know what "anr " means.


    ANR = Ambiguous Name Resolution - this allows you to search for a name
    without explicitly specifying which attribute to look it - it will
    look in the most common ones for you (displayName, givenName, sn,
    SAMACcountName and so forth).

    >ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
    >(AccountDisabled=false))"


    The idea is right - the syntax is wrong :)

    Unfortunately, the "account disabled" is encoded in the
    "userAccountControl" property in LDAP, and there's no easy and nice
    way to specify that.

    If you look at a good book, e.g. Joe Kaplan/Ryan Dunn's ".NET
    Developer's Guide to Directory Services Programming", you'll find that
    you *can* specify these kind of filters, too - it's just not very
    pretty.....

    This filter here will select all the DISABLED accounts - that's those
    that have the bit #2 in UserAccountControl set to true.

    (userAccountControl:1.2.840.113556.1.4.803:=2)

    So in your case,you'd want to have the opposite of this:

    ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
    (!(userAccountControl:1.2.840.113556.1.4.803:=2)))"


    Hope this works for you

    Marc
     
    Marc Scheuner, Feb 1, 2007
    #2
    1. Advertising

  3. mike

    mike Guest

    Thanks Marc

    Works a treat. I wasn't sure about the ! - I was thinking it might
    have been C# specific. I'm a VB.NET nerd. But it worked. I just don't
    really understand what I've just done, that's all. Might have to check
    out that book you mentioned.

    Cheers
    Mike

    On Feb 1, 5:04 pm, Marc Scheuner <> wrote:
    > Hi Mike
    >
    > >I'm needing a bit of help to fine tune my Filter property for a
    > >DirectorySearcher. My context here is for a company phone directory.
    > >The problem is that this picks up disabled accounts which I'd rather
    > >didn't happen. I basically grabbed this string straight from somewhere
    > >but don't really know what "anr " means.

    >
    > ANR = Ambiguous Name Resolution - this allows you to search for a name
    > without explicitly specifying which attribute to look it - it will
    > look in the most common ones for you (displayName, givenName, sn,
    > SAMACcountName and so forth).
    >
    > >ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
    > >(AccountDisabled=false))"

    >
    > The idea is right - the syntax is wrong :)
    >
    > Unfortunately, the "account disabled" is encoded in the
    > "userAccountControl" property in LDAP, and there's no easy and nice
    > way to specify that.
    >
    > If you look at a good book, e.g. Joe Kaplan/Ryan Dunn's ".NET
    > Developer's Guide to Directory Services Programming", you'll find that
    > you *can* specify these kind of filters, too - it's just not very
    > pretty.....
    >
    > This filter here will select all the DISABLED accounts - that's those
    > that have the bit #2 in UserAccountControl set to true.
    >
    > (userAccountControl:1.2.840.113556.1.4.803:=2)
    >
    > So in your case,you'd want to have the opposite of this:
    >
    > ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
    > (!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
    >
    > Hope this works for you
    >
    > Marc
     
    mike, Feb 2, 2007
    #3
  4. Hi Mike

    >Works a treat. I wasn't sure about the ! - I was thinking it might
    >have been C# specific. I'm a VB.NET nerd. But it worked.


    No, it's just the rather weird LDAP filter syntax - and that's *not*
    language specific :)

    >I just don't really understand what I've just done, that's all.


    OK, two things: the "userAccountControl" is a general LDAP property
    that every user (and group) object has - it contains a set of flag
    telling you a number of things about a user - including whether the
    account is disabled or not.

    The ugly string of numbers "1.2.840.113556.1.4.803" is another LDAP
    weirdity - it's the "OID" for the "bitwise AND" operation (also called
    LDAP_MATCHING_RULE_BIT_AND).

    So basically, all you're telling the filter here is that the
    "userAccountControl" flag should have bit #2 set to ON - i.e. the
    account should be disabled. Putting a "!" (LDAP NOT) before it just
    negates it.

    Does that make things a bit clearer? It's weird alright - that's what
    pure low-level LDAP looks like :) MS has done a great job at nicely
    abstracting that with ADSI and System.DirectoryServices - it just
    keeps popping up in some odd places.....

    > Might have to check out that book you mentioned.


    Definitely worth a look, and an excellent resource on .NET S.DS
    programming - highly recommended !

    Marc
     
    Marc Scheuner, Feb 2, 2007
    #4
  5. mike

    mike Guest

    Once again, thanks a lot Marc. Some of what you said rings a (rather
    dim) bell or two. I mess around a bit with VBScript, WMI and ADSI -
    this is how I create all my user accounts and was expecting .NET to be
    just as straight forward. I just looked up the AccountDisabled
    property in the ADSI SDK. Alas...

    Ha, I just checked - in this backwater we call Australia, the book is
    even in stock locally.

    Cheers
    Mike

    On Feb 3, 4:37 am, Marc Scheuner <> wrote:
    > Hi Mike
    >
    > >Works a treat. I wasn't sure about the ! - I was thinking it might
    > >have been C# specific. I'm a VB.NET nerd. But it worked.

    >
    > No, it's just the rather weird LDAP filter syntax - and that's *not*
    > language specific :)
    >
    > >I just don't really understand what I've just done, that's all.

    >
    > OK, two things: the "userAccountControl" is a general LDAP property
    > that every user (and group) object has - it contains a set of flag
    > telling you a number of things about a user - including whether the
    > account is disabled or not.
    >
    > The ugly string of numbers "1.2.840.113556.1.4.803" is another LDAP
    > weirdity - it's the "OID" for the "bitwise AND" operation (also called
    > LDAP_MATCHING_RULE_BIT_AND).
    >
    > So basically, all you're telling the filter here is that the
    > "userAccountControl" flag should have bit #2 set to ON - i.e. the
    > account should be disabled. Putting a "!" (LDAP NOT) before it just
    > negates it.
    >
    > Does that make things a bit clearer? It's weird alright - that's what
    > pure low-level LDAP looks like :) MS has done a great job at nicely
    > abstracting that with ADSI and System.DirectoryServices - it just
    > keeps popping up in some odd places.....
    >
    > > Might have to check out that book you mentioned.

    >
    > Definitely worth a look, and an excellent resource on .NET S.DS
    > programming - highly recommended !
    >
    > Marc
     
    mike, Feb 6, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. cameron

    DirectorySearcher & sorting

    cameron, Jul 4, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    4,760
    Yan-Hong Huang[MSFT]
    Jul 7, 2003
  2. Jay
    Replies:
    1
    Views:
    19,266
  3. Roger Bavaud

    DirectorySearcher Filter Exchange Server

    Roger Bavaud, Nov 3, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    612
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=
    Nov 5, 2004
  4. Replies:
    0
    Views:
    696
  5. Ted Byers
    Replies:
    0
    Views:
    112
    Ted Byers
    Oct 23, 2008
Loading...

Share This Page