User objects cannot be created in the specified container

C

chand

Hi,

I am using ActiveDirectoryProvider to authenticate users (AD). If I
point my provider to the root of AD every thing works fine.

If I point the provider to a CN which has a group of users under a
nested container under root I am getting the following error.

Root --> OU1--> OU12--> CN

My connection is pointing to the CN.


"User objects cannot be created in the specified container"

I tried reflect over the AD provider and found that the provider is
failing at the following method,

DirectoryAttribute objectClass =
response.Entries[0].Attributes["objectClass"];
if (!this.ContainerIsSuperiorOfUser(objectClass))
{
throw new
ProviderException(SR.GetString("ADMembership_Container_not_superior"));
}
Is there a problem with configuration of AD?

Thanks,
chand
 
J

Joe Kaplan

What type of object is the CN=xxx object? If it is not an OU or a
container, this won't work. It sounds like you are trying to use a group
object. Groups are not container types.

Joe K.
 
C

chand

Hi Joe,

Thank you for replying. Yes. CN is a group object. This CN has a list
of members that are allowed to access my application. This
configuration is identical to other CNs used by other applications
like "Business Objects" in the organization.

Unfortunately I don't have much control over the AD configuration. If
we put a test user directly under OU12 every thing works. But now our
Ad admin is not willing to add each user as a container directly under
OU12. His argument is that, this kind of configuration won't allow
users to be under another OU which can be used by some other
application in the organization. I am not sure whether that is a
correct assumption.

Is there any way to configure the AD to give a User, access to
multiple OUs without using group?

Thank you,
chand
 
C

chand

Hi Joe,

Thank you for replying. Yes. CN is a group object. This CN has a list
of members that are allowed to access my application. This
configuration is identical to other CNs used by other applications
like "Business Objects" in the organization.

Root --> OU1--> OU12--> CN (group)

1. If I point the connection to Root, every thing works fine. But this
would allow every one in the organization to access my application.
The goal is to restrict access to a group of users

2. If I point the LDAP connection to OU12, I am not getting the above
error. However provider's 'ValidateUser' method is returning false for
any member in the CN group. Either this method is not searching the
group or not finding the users in the group. I am using
sAMAccountName attribute.

3. If we put a test user directly under OU12 every thing works. Is
this the only way to configure AD to work with
ActiveDirectoyMembershipProvider? Using the groups under OUs seems to
be the reasonable option as this allows the admin to manage users
without worrying about different applications.

Thank you,
chand
 
J

Joe Kaplan

Groups are not containers. Groups have membership. These are totally
different things. In order to get users provisioned into the directory,
they will have to be in a container. They can be in only one container in
the hierarchy (think of it like a folder in a file system). Examples of
container classes include organizational units and containers.

Objects can be members of multiple groups. The membership of an object in a
group is not related to its location in the directory hierarchy.

So, you'll need to provision your users to a container. As to how to get
them to a member of a group, you can do that in code as well, but I don't
think it is supported by the membership provider by default. You would need
to implement that logic yourself.

Joe K.
 
C

chand

OK. We made our application users, members of a group and assigned
that group to a OU container. And I am using the container as my
connection string. But it appears that asp.net membership provider
cannot Bind the users of that group. It simply returns invalid login
attempt error. Could it be that provider doesn't support users of a
group under a container?

Thanks,
chand
 
J

jimkatoe

OK. We made our application users, members of a group and assigned
that group to a OU container. And I am using the container as my
connection string. But it appears that asp.net membership provider
cannot Bind the users of that group. It simply returns invalid login
attempt error. Could it be that provider doesn't support users of a
group under a container?

Thanks,
chand

The users must be child objects of that container for your
configuration to work. As you have it the Group is a child of the
container which is not the same thing. The Group is an object, and
users are objects. But the membership of the group is just a
property. Therefore the binds will fail.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top