restricting access based on Org Unit (OU)

Discussion in 'ASP .Net Security' started by SpaceMarine, May 16, 2008.

  1. SpaceMarine

    SpaceMarine Guest

    Hello,

    I have an ASP.NET 2.0 web app w/ an Active Directory user base that I
    need to lock down -- only one Organizational Unity should be able to
    use the web app.

    So I need to limit my app to only users w/i that Organizational Unit,
    as maintained in our Active Directory by our admins.

    Can anyone point me in the right direction as to how to do this? I
    haven't really been able to find much on what I would have guessed to
    be a common task.


    thanks!
    sm
     
    SpaceMarine, May 16, 2008
    #1
    1. Advertising

  2. SpaceMarine

    SpaceMarine Guest

    In other words: How do I get a user's OU?

    thanks!
    sm
     
    SpaceMarine, May 16, 2008
    #2
    1. Advertising

  3. SpaceMarine

    Joe Kaplan Guest

    This is a non-traditional method of doing authorization against AD as OU's
    are supposed to be used for delegation of administration but not security.
    The best way to do this would be to ask the AD admins to put all the users
    in the OU in question into a group and then just authorize against that
    group using one of the traditional methods.

    That said, if you need to look up a user's OU, you can do that with either
    an LDAP query or via an RPC call using either the DsCrackNames API or the
    ADSI IADsNameTranslate interface (which is just a wrapper around
    DsCrackNames designed in such a way as to make it easy to call for scripting
    clients). IADsNameTranslate is probably the easiest thing although it would
    require you to create some sort of runtime callable wrapper (usually done by
    creating a referenc to activeds.tlb).

    If you want to do an LDAP query, that isn't very difficult using
    System.DirectoryServices. The main thing you need to know is what username
    format you will be working with in order to form the query.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "SpaceMarine" <> wrote in message
    news:...
    > In other words: How do I get a user's OU?
    >
    > thanks!
    > sm
     
    Joe Kaplan, May 17, 2008
    #3
  4. SpaceMarine

    SpaceMarine Guest

    On May 16, 9:24 pm, "Joe Kaplan"
    <> wrote:
    > This is a non-traditional method of doing authorization against AD as OU's
    > are supposed to be used for delegation of administration but not security.
    > The best way to do this would be to ask the AD admins to put all the users
    > in the OU in question into a group and then just authorize against that
    > group using one of the traditional methods.


    I see. I work in a very large organization with thousands of users;
    sub-orgs are placed into Oraganizational Units, which seems natural
    enough to me.

    That being said, I'll ask our admins if we could perhaps put the OU I
    work for into an AD group.

    How then does one code security against an AD group?


    thanks,
    sm
     
    SpaceMarine, May 19, 2008
    #4
  5. SpaceMarine

    Joe Kaplan Guest

    There are many methods. If you are using Windows authentication in your
    application, then you can just use the IsInRole method on the
    WindowsPrincipal class. ASP.NET will insert a WindowsPrincipal representing
    the current Windows user into the HttpContext.User property and you can
    access that from anywhere in a web app. You can also put this directly into
    the authorization section of the web.config and just add the role name to
    the appropriate config parameter there (no coding needed).

    If you aren't using Windows auth, then you'll need to get the user's group
    membership programmatically somehow.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "SpaceMarine" <> wrote in message
    news:...
    > On May 16, 9:24 pm, "Joe Kaplan"
    > <> wrote:
    >> This is a non-traditional method of doing authorization against AD as
    >> OU's
    >> are supposed to be used for delegation of administration but not
    >> security.
    >> The best way to do this would be to ask the AD admins to put all the
    >> users
    >> in the OU in question into a group and then just authorize against that
    >> group using one of the traditional methods.

    >
    > I see. I work in a very large organization with thousands of users;
    > sub-orgs are placed into Oraganizational Units, which seems natural
    > enough to me.
    >
    > That being said, I'll ask our admins if we could perhaps put the OU I
    > work for into an AD group.
    >
    > How then does one code security against an AD group?
    >
    >
    > thanks,
    > sm
    >
     
    Joe Kaplan, May 19, 2008
    #5
  6. SpaceMarine

    SpaceMarine Guest

    On May 19, 3:37 pm, "Joe Kaplan"
    <> wrote:
    > There are many methods.  If you are using Windows authentication in your
    > application, then you can just use the IsInRole method on the
    > WindowsPrincipal class.  ASP.NET will insert a WindowsPrincipal representing
    > the current Windows user into the HttpContext.User property and you can
    > access that from anywhere in a web app.  You can also put this directly into
    > the authorization section of the web.config and just add the role name to
    > the appropriate config parameter there (no coding needed).


    Yeah, we're using Windows authentication. So the AD's "Group"
    assignment directly maps to the User.IsInRole() deal? great! That
    sounds like a pretty good reason to use AD Groups.


    Thanks,
    sm
     
    SpaceMarine, May 19, 2008
    #6
  7. SpaceMarine

    SpaceMarine Guest

    On May 19, 3:37 pm, "Joe Kaplan"
    <> wrote:
    > There are many methods.  If you are using Windows authentication in your
    > application, then you can just use the IsInRole method on the
    > WindowsPrincipal class.  ASP.NET will insert a WindowsPrincipal representing
    > the current Windows user into the HttpContext.User property and you can
    > access that from anywhere in a web app.  You can also put this directly into
    > the authorization section of the web.config and just add the role name to
    > the appropriate config parameter there (no coding needed).


    Tho one question...How does this relate w/ using a Roles provider? I'm
    not sure, but I think an ASP.NET could still use a custom Roles
    provider, and use the the AD Group technique you've mentioned?


    sm
     
    SpaceMarine, May 19, 2008
    #7
  8. SpaceMarine

    Joe Kaplan Guest

    If you want to use the role provider with Windows authentication, you can
    use the WindowsTokenRoleProvider. It does the same thing as
    IPrincipal.IsInRole in this instance.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "SpaceMarine" <> wrote in message
    news:...
    On May 19, 3:37 pm, "Joe Kaplan"
    <> wrote:
    > There are many methods. If you are using Windows authentication in your
    > application, then you can just use the IsInRole method on the
    > WindowsPrincipal class. ASP.NET will insert a WindowsPrincipal
    > representing
    > the current Windows user into the HttpContext.User property and you can
    > access that from anywhere in a web app. You can also put this directly
    > into
    > the authorization section of the web.config and just add the role name to
    > the appropriate config parameter there (no coding needed).


    Tho one question...How does this relate w/ using a Roles provider? I'm
    not sure, but I think an ASP.NET could still use a custom Roles
    provider, and use the the AD Group technique you've mentioned?


    sm
     
    Joe Kaplan, May 20, 2008
    #8
  9. SpaceMarine

    SpaceMarine Guest

    On May 19, 9:05 pm, "Joe Kaplan"
    <> wrote:
    > If you want to use the role provider with Windows authentication, you can
    > use the WindowsTokenRoleProvider.  It does the same thing as
    > IPrincipal.IsInRole in this instance.


    i hadnt heard of that one, thanks for the tip.

    yeah, i want to use a combo of: 1) the windows Group for basic
    authentication, and then a role provider for app-level roles. our
    admins were cool w/ putting the OU into a group, but we both feel
    further roles specific to the app should be self-contained in the app.

    that sound normal? and something that i could do w/ the
    WindowsTokenRoleProvider?


    thanks!
    sm
     
    SpaceMarine, May 20, 2008
    #9
  10. SpaceMarine

    Joe Kaplan Guest

    You will need a custom role provider if you want additional app specific
    roles as the WindowsTokenRoleProvider only knows about windows groups.

    I'd suggest looking at the AzMan framework for implementing app specific
    roles and permissioning. It is very powerful. It also integrates well with
    AD. I'm pretty sure there is a role provider for it as well, although it is
    more powerful if you use it directly.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "SpaceMarine" <> wrote in message
    news:...
    On May 19, 9:05 pm, "Joe Kaplan"
    <> wrote:
    > If you want to use the role provider with Windows authentication, you can
    > use the WindowsTokenRoleProvider. It does the same thing as
    > IPrincipal.IsInRole in this instance.


    i hadnt heard of that one, thanks for the tip.

    yeah, i want to use a combo of: 1) the windows Group for basic
    authentication, and then a role provider for app-level roles. our
    admins were cool w/ putting the OU into a group, but we both feel
    further roles specific to the app should be self-contained in the app.

    that sound normal? and something that i could do w/ the
    WindowsTokenRoleProvider?


    thanks!
    sm
     
    Joe Kaplan, May 21, 2008
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Banks

    Restricting access based on roles

    Andrew Banks, Feb 26, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    287
    Andrew Banks
    Feb 26, 2004
  2. =?Utf-8?B?SnVzdGlu?=

    Restricting access to certain pages

    =?Utf-8?B?SnVzdGlu?=, Oct 31, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    356
    Chris Austin
    Oct 31, 2004
  3. xz
    Replies:
    9
    Views:
    554
    James Kanze
    Jan 8, 2008
  4. PerlFAQ Server
    Replies:
    0
    Views:
    724
    PerlFAQ Server
    Feb 3, 2011
  5. PerlFAQ Server
    Replies:
    0
    Views:
    734
    PerlFAQ Server
    Apr 4, 2011
Loading...

Share This Page