querying AD users

Discussion in 'ASP .Net Security' started by SpaceMarine, Jul 5, 2008.

  1. SpaceMarine

    SpaceMarine Guest

    hello,

    i havent done any research on this yet and about to, but i wanted to
    see if anyone had any recommended links on programmaticly working w/
    AD users. (namely, looking up all users that begin w/ a certain
    letter, or getting back a list of users matching a first name, etc..)

    im building a UI that allows my admin-users to manage other users, its
    going to be used for securing access to parts of our apps.


    thanks, and ill post what i find.

    sm
    SpaceMarine, Jul 5, 2008
    #1
    1. Advertising

  2. SpaceMarine

    SpaceMarine Guest

    SpaceMarine, Jul 6, 2008
    #2
    1. Advertising

  3. SpaceMarine

    SpaceMarine Guest

    On Jul 6, 11:44 am, SpaceMarine <> wrote:

    >     .Filter = "(objectClass=user)(lastName >= A)"


    actually asterik wildcards are supported, so its probably more like

    lastName = A*

    ...will have to play around w/ it in the office.

    sm
    SpaceMarine, Jul 6, 2008
    #3
  4. On Jul 6, 6:50 pm, SpaceMarine <> wrote:
    > On Jul 6, 11:44 am, SpaceMarine <> wrote:
    >
    > >     .Filter = "(objectClass=user)(lastName >= A)"

    >
    > actually asterik wildcards are supported, so its probably more like
    >
    >    lastName = A*
    >
    > ...will have to play around w/ it in the office.
    >
    > sm


    Note, that if you run it from the ASP.NET application on a server, in
    most cases you may need to implement impersonation in the application,
    before you access the AD.

    http://support.microsoft.com/kb/306158
    Alexey Smirnov, Jul 7, 2008
    #4
  5. On Jul 6, 6:50 pm, SpaceMarine <> wrote:
    > On Jul 6, 11:44 am, SpaceMarine <> wrote:
    >
    > >     .Filter = "(objectClass=user)(lastName >= A)"

    >
    > actually asterik wildcards are supported, so its probably more like
    >
    >    lastName = A*
    >
    > ...will have to play around w/ it in the office.
    >
    > sm


    ping
    Alexey Smirnov, Jul 7, 2008
    #5
  6. SpaceMarine

    SpaceMarine Guest

    On Jul 7, 1:29 pm, Alexey Smirnov <> wrote:

    > Note, that if you run it from the ASP.NET application on a server, in
    > most cases you may need to implement impersonation in the application,
    > before you access the AD.


    well, id like to avoid impersonation if possible. if my DirectoryEntry
    class is instantiated w/ an optional username & password in its
    constructor (a service account given to me by our AD admin), then
    would i no longer need to impersonate?


    sm
    SpaceMarine, Jul 8, 2008
    #6
  7. SpaceMarine

    Paul Clement Guest

    On Mon, 7 Jul 2008 20:53:34 -0700 (PDT), SpaceMarine <> wrote:

    ¤ On Jul 7, 1:29 pm, Alexey Smirnov <> wrote:
    ¤
    ¤ > Note, that if you run it from the ASP.NET application on a server, in
    ¤ > most cases you may need to implement impersonation in the application,
    ¤ > before you access the AD.
    ¤
    ¤ well, id like to avoid impersonation if possible. if my DirectoryEntry
    ¤ class is instantiated w/ an optional username & password in its
    ¤ constructor (a service account given to me by our AD admin), then
    ¤ would i no longer need to impersonate?

    As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
    then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
    NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
    privilege account.

    With respect to syntax you would want to include the "and" operator in your query as well:

    .Filter = "(&(objectClass=user)(lastName = A*))"

    The following link should help you with LDAP query syntax:

    http://msdn.microsoft.com/en-us/library/aa746475.aspx


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
    Paul Clement, Jul 8, 2008
    #7
  8. On Jul 8, 5:50 pm, Paul Clement
    <> wrote:
    > On Mon, 7 Jul 2008 20:53:34 -0700 (PDT), SpaceMarine <> wrote:
    >
    > ¤ On Jul 7, 1:29 pm, Alexey Smirnov <> wrote:
    > ¤
    > ¤ > Note, that if you run it from the ASP.NET application on a server, in
    > ¤ > most cases you may need to implement impersonation in the application,
    > ¤ > before you access the AD.
    > ¤
    > ¤ well, id like to avoid impersonation if possible. if my DirectoryEntry
    > ¤ class is instantiated w/ an optional username & password in its
    > ¤ constructor (a service account given to me by our AD admin), then
    > ¤ would i no longer need to impersonate?
    >
    > As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
    > then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
    > NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
    > privilege account.
    >
    > With respect to syntax you would want to include the "and" operator in your query as well:
    >
    >  .Filter = "(&(objectClass=user)(lastName = A*))"
    >
    > The following link should help you with LDAP query syntax:
    >
    > http://msdn.microsoft.com/en-us/library/aa746475.aspx
    >


    sm, you can also move the code for AD to a separated class library
    DLL, and refer to it from your main ASP.NET application. You would
    need to register that DLL as a COM component (Administrative Tools -
    Component Services) using an account that has sufficient permissions
    to query AD. In this case you would not need to make an impersonation
    within your application and all request to AD would go through the COM
    Alexey Smirnov, Jul 9, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sara rafiee
    Replies:
    3
    Views:
    1,042
    Scott Allen
    Oct 4, 2004
  2. Eric Butler
    Replies:
    0
    Views:
    323
    Eric Butler
    Jan 7, 2005
  3. Sunil Miriyala
    Replies:
    0
    Views:
    747
    Sunil Miriyala
    Mar 1, 2004
  4. bitshift
    Replies:
    1
    Views:
    530
    bruce barker
    Jun 22, 2007
  5. Replies:
    0
    Views:
    510
Loading...

Share This Page